IAM password policy does not require minimum password length of 7 or does not include alphanumeric characters Affecting IAM service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
IAM/ Passwords

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00469
  • creditSnyk Research Team

Description

An enterprise's password policy should require a password length of at least 7 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.

How to fix?

Set the aws_iam_account_password_policy minimum_password_length field to 7 and set all fields require_numbers, require_lowercase_characters, and require_uppercase_characters to true.

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  minimum_password_length = 7
  require_numbers = true
    require_lowercase_characters = true
    require_uppercase_characters = true
  # other required fields here
}