IAM Password Policy Requires Uppercase Letters
Overview
This check verifies that your AWS account's password policy requires at least one uppercase letter (A-Z) in IAM user passwords. Strong password policies help protect your AWS resources from unauthorized access.
Risk
Without uppercase letter requirements, passwords are easier to guess or crack. Weak passwords can lead to:
- Unauthorized access to your AWS account
- Data breaches or data loss
- Unexpected charges from misused resources
- Compliance violations
Remediation Steps
Prerequisites
- AWS account access with permission to modify IAM settings (typically requires administrator access)
- Access to the AWS Console or AWS CLI
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to IAM (search for "IAM" in the search bar)
- In the left navigation panel, click Account settings
- Under Password policy, click Edit
- Check the box for Require at least one uppercase letter (A-Z)
- Click Save changes
AWS CLI (optional)
Important: The update-account-password-policy command replaces your entire password policy. If you have other requirements configured (like minimum length or symbols), you must include them all in the command or they will reset to defaults.
Quick fix (uppercase only):
aws iam update-account-password-policy \
--require-uppercase-characters \
--region us-east-1
Recommended (comprehensive policy):
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-uppercase-characters \
--require-lowercase-characters \
--require-numbers \
--require-symbols \
--allow-users-to-change-password \
--max-password-age 90 \
--password-reuse-prevention 24 \
--region us-east-1
View current policy first:
aws iam get-account-password-policy --region us-east-1
CloudFormation (optional)
Note: AWS CloudFormation does not have a native resource type for IAM account password policies. You must use either:
- The AWS CLI or Console (recommended for simplicity)
- A Lambda-backed custom resource
- Terraform (shown in the next section)
If you need infrastructure-as-code management for password policies, Terraform provides a straightforward solution.
Terraform (optional)
Add this resource to your Terraform configuration:
resource "aws_iam_account_password_policy" "strict" {
require_uppercase_characters = true
require_lowercase_characters = true
require_numbers = true
require_symbols = true
minimum_password_length = 14
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 24
}
Minimal configuration (uppercase only):
resource "aws_iam_account_password_policy" "uppercase" {
require_uppercase_characters = true
}
Apply the configuration:
terraform init
terraform plan
terraform apply
Verification
AWS Console
- Go to IAM > Account settings
- Confirm "Require at least one uppercase letter" is checked
CLI Verification
aws iam get-account-password-policy --region us-east-1 \
--query 'PasswordPolicy.RequireUppercaseCharacters'
Expected output: true
Full policy check:
aws iam get-account-password-policy --region us-east-1
Additional Resources
- AWS IAM Password Policy Documentation
- AWS Security Best Practices in IAM
- Prowler Check Documentation
Notes
- IAM is global: Password policy changes apply to the entire AWS account, not just one region.
- Existing passwords: Changing the policy does not affect existing passwords. Users will need to update their passwords to meet new requirements at their next password change.
- Consider MFA: Password policies are just one layer of defense. Enable multi-factor authentication (MFA) for all IAM users for stronger security.
- Federated identity: If you use AWS IAM Identity Center (SSO) or another identity provider, those systems manage password policies separately.