Ensure that every AWS account has a minimum password length policy for AWS IAM User Login Profile

HIGH

Description

Minimum password length policies non-enforcement can increase the likelihood of AWS account to be exploited using Brute force attack, Dictionary or password spray.

Remediation

Password policy for AWS accounts can be created and managed in the AWS IAM Console.

In AWS Console -

Sign in to the AWS Console and go to the IAM console.
Choose Account settings in the navigation pane.
Select 'Change password policy' in the Password policy section.
Select the password policy configuration.
Select Save changes.

In Terraform -

In the aws_iam_user_login_profile resource, set the password_length field to an appropriate value.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile

Policy Details

Rule Reference ID: AC_AWS_0148

CSP: AWS

Remediation Available: Yes

Domain: Compliance Validation

Resource: aws_iam_user_login_profile

Resource Category: Identity and Access Management (IAM)

Resource Type: Policy

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
NY-DFS
ISO-27001

Detections

Analytics