Cloud Security Index
aws

medium

Compliance Frameworks

BETA
CIS AWS Foundations Benchmark v3.0
1.9
NIST 800-53 Rev 5
IA-5
PCI DSS v4.0
8.3.6
ISO 27001:2022
A.8.5
SOC 2
CC6.1
AWS Foundational Security Best Practices
IAM.9

// Beta Mapping Disclaimer

Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.

Overview

Enforce a hardened IAM account password policy across all central landing zone accounts, including minimum length, complexity, expiry, and reuse prevention aligned to CIS benchmark recommendations.

The IAM account password policy governs all IAM user passwords in the account. In a well-configured landing zone, human access should use IAM Identity Center with federated identity rather than long-lived IAM user credentials. However, IAM users may exist for break-glass scenarios, legacy tooling, or accounts not yet onboarded to Identity Center. A weak password policy in any central account - Management, Log Archive, or Audit - creates unnecessary credential risk for these users. The recommended policy sets a 14-character minimum length, requires at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric character, and prevents reuse of the last 24 passwords. The SCP prevents any principal in member accounts from weakening or deleting this policy after it is applied. Note that SCPs cannot mandate specific policy content - they can only block the actions that would modify or remove the policy.

Password reuse and weak password requirements are common vectors in credential-based attacks. Enforcing a strong policy centrally removes the dependency on individual account administrators to configure this correctly. The CIS benchmark recommends 24 as the reuse prevention value - this is the minimum acceptable for landing zone central accounts. IAM Identity Center federation should be the long-term target; this control provides a safety net for any IAM users that remain.

Remediation Strategy

Apply the full password policy via CLI or Console in each central account. Attach the SCP to prevent weakening. Verify with get-account-password-policy.

1.

Run the update-account-password-policy command (see enforcement_reference) in each central account.

2.

Apply the DenyPasswordPolicyWeakening SCP to the central accounts OU from the Management account.

3.

Verify the applied policy matches expected values using get-account-password-policy.

resource "aws_iam_account_password_policy" "central" {
  minimum_password_length        = 14
  require_uppercase_characters   = true
  require_lowercase_characters   = true
  require_numbers                = true
  require_symbols                = true
  max_password_age               = 0
  password_reuse_prevention      = 24
  allow_users_to_change_password = false
}

Enforcement Logic

Automatedaws-api

Retrieve the account password policy and verify each attribute meets the minimum threshold: PasswordReusePrevention >= 24, MinimumPasswordLength >= 14, MaxPasswordAge <= 90, and all complexity flags set to true. AWS Security Hub control IAM.9 automates this check across all accounts when Security Hub is enabled organization-wide.

aws iam get-account-password-policy \
  --query "PasswordPolicy.{Reuse:PasswordReusePrevention,MinLen:MinimumPasswordLength,MaxAge:MaxPasswordAge,Symbols:RequireSymbols}" \
  --output table
# Compliant: Reuse>=24, MinLen>=14, MaxAge<=90, Symbols=true
SPEC_METADATA

Complexity
low
Impact
none
Likelihood
low
Residual Risk
low
Scope
account
Environment
production, non-production
Resources
IAM
Remediation
account
Auto-Remediate
Available
Category
iam
Enforcement
mandatory
Tags
iampassword-policycomplianceidentitylanding-zone

Owner
Cloud Security
Type
team
Frequency
quarterly

// EXCEPTION

Accounts where all human access is exclusively through IAM Identity Center federation with no IAM users present may treat this control as informational. The password policy still applies to any service accounts or break-glass IAM users that exist, even if federation is the primary mechanism.

// SYSTEM_NOTE

The IAM account password policy applies only to IAM user passwords - it has no effect on IAM Identity Center users, root user credentials, or access keys. The --no-allow-users-to-change-password flag is appropriate for central accounts where IAM users are break-glass only; remove it for accounts where IAM users manage their own credentials day-to-day. SCPs cannot enforce specific password policy attribute values - only the actions that modify or delete the policy can be restricted. The SCP in enforcement_reference uses ArnNotLike to carve out the LandingZoneAdminRole; substitute the actual role ARN used in your organization. If no IAM users exist in the account, get-account-password-policy returns a NoSuchEntity error - this is expected and does not indicate non-compliance.