Password policy complexity

1.5 to 1.11 Identity and Access Management (AWS CIS Benchmark).

Description

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure that passwords comprise different character sets.

It is strongly recommended that your organization's password policy:

  • Requires at least one uppercase letter (1.5)
  • Requires at least one lowercase letter (1.6)
  • Requires at least one symbol (1.7)
  • Requires at least one number (1.8)
  • Requires a minimum password length of 14 characters (1.9)
  • Prevents password reuse (1.10)
  • Expires after 90 days or less (1.11)

Set the password policy to follow the rules above via the AWS Management Console

Step 1. Log in to the AWS Console at https://console.aws.amazon.com/vpc/home (with appropriate permissions to View Identity Access Management Account Settings).

Step 2. Go to "IAM Service" on the AWS Console.

Step 3. Click on Account Settings on the left pane.

Step 4.

a) To set at least one uppercase letter

Check "Requires at least one uppercase letter" and click on Apply Password Policy.

b) To require at least one lowercase letter

Check "Requires at least one lowercase letter" and click on Apply Password Policy.

c) To require at least one symbol

Check "Require at least one non-alphanumeric character" and click on Apply Password Policy.

d) To require at least one number

Check "Require at least one number" and click on Apply Password Policy.

e) To set a minimum password length of 14 characters

Set "Minimum password length" to 14 or greater and click on Apply Password Policy.

f) To prevent password reuse

Check "Prevent password reuse" and set "Number of passwords to remember" to 24.

g) To expire passwords after 90 days

Check "Enable password expiration" and set "Password expiration period (in days)" to 90 or less.

Set the password policy to follow the rules above via CLI

a) To set at least one uppercase letter

Run the following command:

aws iam update-account-password-policy --require-uppercase-characters

b) To require at least one lowercase letter

Run the following command:

aws iam update-account-password-policy --require-lowercase-characters

c) To require at least one symbol

Run the following command:

aws iam update-account-password-policy --require-symbols

d) To require at least one number

Run the following command:

aws iam update-account-password-policy --require-numbers

e) To set a minimum length of 14 characters

Run the following command:

aws iam update-account-password-policy --minimum-password-length 14

f) To prevent password reuse

Run the following command:

aws iam update-account-password-policy --password-reuse-prevention 24

g) To expire passwords after 90 days

Run the following command:

aws iam update-account-password-policy --max-password-age 90

Note: All commands starting with "aws iam update-account-password-policy" have to be combined into a single command in order for all of them to take effect.