iam-password-policy
Checks if the account password policy for AWS Identity and Access Management (IAM) users meets the specified requirements indicated in the parameters. The rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.
Important
The true
and false
values for the rule parameters are case-sensitive.
If true
is not provided in lowercase, it will be treated as false.
Note
This rule is marked as NON-COMPLIANT when the default IAM password policy is used.
Note
The AWS::IAM::User
resource type can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. AWS::IAM::User
cannot be recorded in Regions supported by AWS Config after February 2022.
Additionally, if you have selected to record AWS::IAM::User
in at least one Region, periodic rules such as this rule that report compliance on AWS::IAM::User
will run evaluations on AWS::IAM::User
in all Regions where the periodic rule is added, even if you have not enabled the recording of AWS::IAM::User
in the Region where the periodic rule was added.
You should only deploy this rule to one of the supported Regions to avoid unnecessary evaluations and API throttling. Not enabling the recording of global IAM resource types will not prevent this rule from running evaluations, if you have enable the recording of global IAM resource types in another Region. To avoid unnecessary evaluations, you should limit the deployment of this rule to one Region.
Identifier: IAM_PASSWORD_POLICY
Trigger type: Periodic
AWS Region: All supported AWS regions except Israel (Tel Aviv), Canada West (Calgary) Region
Parameters:
- RequireUppercaseCharacters (Optional)
- Type: boolean
- Default: true
-
Require at least one uppercase character in password.
- RequireLowercaseCharacters (Optional)
- Type: boolean
- Default: true
-
Require at least one lowercase character in password.
- RequireSymbols (Optional)
- Type: boolean
- Default: true
-
Require at least one symbol in password.
- RequireNumbers (Optional)
- Type: boolean
- Default: true
-
Require at least one number in password.
- MinimumPasswordLength (Optional)
- Type: int
- Default: 14
-
Password minimum length.
- PasswordReusePrevention (Optional)
- Type: int
- Default: 24
-
Number of passwords before allowing reuse.
- MaxPasswordAge (Optional)
- Type: int
- Default: 90
-
Number of days before password expiration.
AWS CloudFormation template
To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.