Ensure 'password policy' is enabled - at least 1 symbol



Weak and common passwords can be easily compromised by attackers. It is recommended that all users have at least 1 lowercase letter, 1 uppercase letter, 1 special character, and 1 number in their passwords. It is also recommended that users utilize a long password that does not contain repeating or common words or phrases. Passwords should be rotated regularly, and any temporary password should be set with a short lifespan.


In AWS Console -

  1. Sign in to the AWS Console and go to the IAM console.
  2. Choose Account settings in the navigation pane.
  3. Select 'Change password policy' in the Password policy section.
  4. Select the password policy configuration.
  5. Select Save changes.

In Terraform -

  1. In the aws_cognito_user_pool, configure the password_policy block as needed.
  2. Best practice is to include minimum_length, require_lowercase, require_upppercase, require_numbers, and require_symbols.
  3. Set temporary_password_validity_days with a value of 90 days or less.
  4. Set minimum_length to 14 or greater.


Policy Details

Rule Reference ID: AC_AWS_0046
Remediation Available: Yes
Resource Type: Cognito