Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Enforce a hardened IAM account password policy across all central landing zone accounts, including minimum length, complexity, expiry, and reuse prevention aligned to CIS benchmark recommendations.
The IAM account password policy governs all IAM user passwords in the account. In a well-configured landing zone, human access should use IAM Identity Center with federated identity rather than long-lived IAM user credentials. However, IAM users may exist for break-glass scenarios, legacy tooling, or accounts not yet onboarded to Identity Center. A weak password policy in any central account - Management, Log Archive, or Audit - creates unnecessary credential risk for these users. The recommended policy sets a 14-character minimum length, requires at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric character, and prevents reuse of the last 24 passwords. The SCP prevents any principal in member accounts from weakening or deleting this policy after it is applied. Note that SCPs cannot mandate specific policy content - they can only block the actions that would modify or remove the policy.
Password reuse and weak password requirements are common vectors in credential-based attacks. Enforcing a strong policy centrally removes the dependency on individual account administrators to configure this correctly. The CIS benchmark recommends 24 as the reuse prevention value - this is the minimum acceptable for landing zone central accounts. IAM Identity Center federation should be the long-term target; this control provides a safety net for any IAM users that remain.
Remediation Strategy
Apply the full password policy via CLI or Console in each central account. Attach the SCP to prevent weakening. Verify with get-account-password-policy.
Run the update-account-password-policy command (see enforcement_reference) in each central account.
Apply the DenyPasswordPolicyWeakening SCP to the central accounts OU from the Management account.
Verify the applied policy matches expected values using get-account-password-policy.
resource "aws_iam_account_password_policy" "central" {
minimum_password_length = 14
require_uppercase_characters = true
require_lowercase_characters = true
require_numbers = true
require_symbols = true
max_password_age = 0
password_reuse_prevention = 24
allow_users_to_change_password = false
}Enforcement Logic
Retrieve the account password policy and verify each attribute meets the minimum threshold: PasswordReusePrevention >= 24, MinimumPasswordLength >= 14, MaxPasswordAge <= 90, and all complexity flags set to true. AWS Security Hub control IAM.9 automates this check across all accounts when Security Hub is enabled organization-wide.
aws iam get-account-password-policy \
--query "PasswordPolicy.{Reuse:PasswordReusePrevention,MinLen:MinimumPasswordLength,MaxAge:MaxPasswordAge,Symbols:RequireSymbols}" \
--output table
# Compliant: Reuse>=24, MinLen>=14, MaxAge<=90, Symbols=trueAccounts where all human access is exclusively through IAM Identity Center federation with no IAM users present may treat this control as informational. The password policy still applies to any service accounts or break-glass IAM users that exist, even if federation is the primary mechanism.
The IAM account password policy applies only to IAM user passwords - it has no effect on IAM Identity Center users, root user credentials, or access keys. The --no-allow-users-to-change-password flag is appropriate for central accounts where IAM users are break-glass only; remove it for accounts where IAM users manage their own credentials day-to-day. SCPs cannot enforce specific password policy attribute values - only the actions that modify or delete the policy can be restricted. The SCP in enforcement_reference uses ArnNotLike to carve out the LandingZoneAdminRole; substitute the actual role ARN used in your organization. If no IAM users exist in the account, get-account-password-policy returns a NoSuchEntity error - this is expected and does not indicate non-compliance.