Setting an account password policy for IAM users - AWS Identity and Access Management

Setting an account password policy for IAM users

You can set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy. For more information, see Custom password policy options.

Rules for setting a password policy

The IAM password policy does not apply to the AWS account root user password or IAM user access keys. If a password expires, the IAM user can't sign in to the AWS Management Console but can continue to use their access keys.

When you create or change a password policy, most of the password policy settings are enforced the next time your users change their passwords. However, some of the settings are enforced immediately. For example:

  • When the minimum length and character type requirements change, these settings are enforced the next time that your users change their passwords. Users are not forced to change their existing passwords, even if the existing passwords do not adhere to the updated password policy.

  • When you set a password expiration period, the expiration period is enforced immediately. For example, assume that you set a password expiration period of 90 days. In that case, the password expires for all IAM users whose existing password is older than 90 days. Those users are required to change their password the next time that they sign in.

You can't create a "lockout policy" to lock a user out of the account after a specified number of failed sign-in attempts. For enhanced security, we recommend that you combine a strong password policy with multi-factor authentication (MFA). For more information about MFA, see Using multi-factor authentication (MFA) in AWS.

Permissions required to set a password policy

You must configure permissions to allow an IAM entity (user or role) to view or edit their account password policy. You can include the following password policy actions in an IAM policy:

  • iam:GetAccountPasswordPolicy – Allows the entity to view the password policy for their account

  • iam:DeleteAccountPasswordPolicy – Allows the entity to delete the custom password policy for their account and revert to the default password policy

  • iam:UpdateAccountPasswordPolicy – Allows the entity to create or change the custom password policy for their account

The following policy allows full access to view and edit the account password policy. To learn how to create an IAM policy using this example JSON policy document, see Creating policies on the JSON tab.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccessPasswordPolicy", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:DeleteAccountPasswordPolicy", "iam:UpdateAccountPasswordPolicy" ], "Resource": "*" } ] }

For information about the permissions required for an IAM user to change their own password, see Permitting IAM users to change their own passwords.

Default password policy

If an administrator does not set a custom password policy, IAM user passwords must meet the default AWS password policy. The default password policy enforces the following conditions:

  • Minimum password length of 8 characters and a maximum length of 128 characters

  • Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' symbols

  • Not be identical to your AWS account name or email address

Custom password policy options

When you configure a custom password policy for your account, you can specify the following conditions:

  • Password minimum length – You can specify a minimum of 6 characters and a maximum of 128 characters.

  • Password strength – You can select any of the following check boxes to define the strength of your IAM user passwords:

    • Require at least one uppercase letter from Latin alphabet (A–Z)

    • Require at least one lowercase letter from Latin alphabet (a–z)

    • Require at least one number

    • Require at least one nonalphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '

  • Enable password expiration – You can select and specify a minimum of 1 and a maximum of 1,095 days that IAM user passwords are valid after they are set. For example, after 90 days a user's password expires and they must set a new password before accessing the AWS Management Console. The AWS Management Console warns IAM users when they are within 15 days of password expiration. IAM users can change their password at any time if they have permission. When they set a new password, the expiration period for that password starts over. An IAM user can have only one valid password at a time.

  • Password expiration requires administrator reset – Select this option to prevent IAM users from updating their own passwords after the password expires. Before you select this option, confirm that your AWS account has more than one user with administrative permissions to reset IAM user passwords. Also consider providing access keys to allow administrators to reset IAM user passwords programmatically. If you clear this check box, IAM users with expired passwords must still set a new password before they can access the AWS Management Console.

  • Allow users to change their own password – You can permit all IAM users in your account to use the IAM console to change their own passwords, as described in Permitting IAM users to change their own passwords. Alternatively, you can allow only some users to manage passwords, either for themselves or for others. To do so, you clear this check box. For more information about using policies to limit who can manage passwords, see Permitting IAM users to change their own passwords.

  • Prevent password reuse – You can prevent IAM users from reusing a specified number of previous passwords. You can specify a minimum number of 1 and a maximum number of 24 previous passwords that can't be repeated.

Setting a password policy (console)

You can use the AWS Management Console to create, change, or delete a custom password policy.

To create a custom password policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Account settings.

  3. In the Password policy section, choose Change password policy.

  4. Select the options that you want to apply to your password policy and choose Save changes.

To change a custom password policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Account settings.

  3. In the Password policy section, choose Change.

  4. Select the options that you want to apply to your password policy and choose Save changes.

To delete a password policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Account settings.

  3. In the Password policy section, choose Delete.

  4. Confirm that you want to delete the custom password policy by choosing Delete custom.

Setting a password policy (AWS CLI)

You can use the AWS Command Line Interface to set a password policy.

To manage the custom account password policy from the AWS CLI

Run the following commands:

Setting a password policy (AWS API)

You can use AWS API operations to set a password policy.

To manage the custom account password policy from the AWS API

Call the following operations: