compliance.tf
Compliance ControlsAWS IAM

IAM password policies should prevent password reuse

Password reuse is one of the most common ways credential compromise escalates. When users rotate passwords but cycle back to previous ones, an attacker who obtained an old credential through a breach or phishing attempt can regain access after a rotation event. Setting reuse prevention to 24 makes it impractical for users to cycle through passwords and return to a familiar one.

This is especially relevant in environments where console access is still required. Even with MFA enabled, the password remains a factor, and a reused password undermines the entire authentication chain.

Retrofit consideration

Existing console users will be forced to choose a new password at next rotation. Communicate the change before applying to avoid lockout confusion.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_numbers              = true
  require_symbols              = true
  require_uppercase_characters = true
}

What this control checks

This control validates that the aws_iam_account_password_policy resource has password_reuse_prevention set to exactly 24. A value of 23 or lower fails. If no aws_iam_account_password_policy resource is defined, the account uses the AWS default, which does not enforce any reuse prevention, and the control fails. The full resource may look like:

resource "aws_iam_account_password_policy" "strict" { password_reuse_prevention = 24 }

Other arguments (minimum_password_length, require_symbols, max_password_age) are independent of this check but commonly live in the same resource block.

Common pitfalls

Only one password policy per account

The aws_iam_account_password_policy resource is a singleton. If multiple Terraform stacks or workspaces try to manage it, they will conflict. Use terraform import to bring an existing policy under management in exactly one state file, and reference it via remote state or data sources elsewhere.

Control requires exactly 24, not 'at least' 24

AWS caps password_reuse_prevention at 24. Any value below that (e.g., 12) fails this control. There is no API path to set it higher, so 24 is both the floor and the ceiling for compliance here.

Policy does not apply to programmatic credentials

The IAM password policy governs console passwords only. It has no effect on access keys, session tokens, or federated identities. In SSO-only environments where no IAM users have console passwords enabled, the policy still needs to be configured to pass this control, but it provides limited practical protection.

Terraform destroy removes the entire policy

Running terraform destroy on the aws_iam_account_password_policy resource calls DeleteAccountPasswordPolicy, which reverts to the AWS default: no reuse prevention, no complexity requirements. Protect this resource with lifecycle { prevent_destroy = true }.

Audit evidence

An auditor expects to see aws iam get-account-password-policy output showing "PasswordReusePrevention": 24. AWS Config rule iam-password-policy evaluation results provide continuous evidence. IAM console screenshots (Account Settings) showing the configured policy work as point-in-time evidence. For organizations using Security Hub, the finding for this control under AWS Foundational Security Best Practices should show PASSED.

CloudTrail logs for UpdateAccountPasswordPolicy API calls show when the policy was last changed and by whom, providing a change history.

Framework-specific interpretation

PCI DSS v4.0: Requirement 8.3.7 prohibits passwords from matching any of the last four. Setting prevention to 24 exceeds that minimum and fully satisfies the requirement.

HIPAA Omnibus Rule 2013: 45 CFR 164.312(a)(2)(i) and 164.312(d) both address authentication controls for ePHI. Password reuse prevention is not cited by name in the Security Rule, but it supports the stronger authentication procedures those provisions call for.

ISO/IEC 27001:2022: A.5.17 and A.8.5 both address management of authentication information, including controls around password history. This control implements that directly.

GDPR: Credential stuffing and replay attacks are a documented path to unauthorized access to personal data. Limiting password reuse cuts off that vector, which supports the confidentiality obligations under Article 32.

NIS2 Directive (EU 2022/2555): Essential and important entities under NIS2 Article 21 must implement appropriate technical measures for access security. Enforcing password history is baseline IAM hygiene that falls within that scope.

FedRAMP Moderate Baseline Rev 4: IA-5 covers authenticator management, including password history enforcement. FedRAMP Moderate carries that expectation forward, and setting 24 cycles of history is a standard approach to meeting it.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_reuse_24
  • AWS Config Managed Rule: IAM_PASSWORD_POLICY
  • Checkov Check: CKV_AWS_13
  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_reuse_24
  • Prowler Check: iam_password_policy_reuse_24
  • AWS Security Hub Control: IAM.16
  • KICS Query: 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a
  • Trivy Check: AWS-0056

Last reviewed: 2026-03-09

IAM password policies should have strong configurations with minimum length of 8 or greater

Previous Page

IAM password policies should require at least one lowercase letter

Next Page

On this page

ImplementationWhat this control checksCommon pitfallsAudit evidenceFramework-specific interpretationTool mappings

Ask AI about this

Help improve this page