IAM password policies should have strong configurations with minimum length of 8 or greater
Short passwords are the path of least resistance for brute-force and dictionary attacks. NIST SP 800-63B sets 8 characters as the floor for memorized secrets; most organizations with any real security posture push that to 12 or 14.
Without an explicit account-level policy, AWS applies its own defaults for IAM user passwords. Those defaults are weaker than any deliberately configured policy, and they give you no auditability. Defining the policy in Terraform makes the configuration intentional, reviewable, and enforceable.
Retrofit consideration
max_password_age or manually expire credentials with aws iam update-login-profile --password-reset-required to enforce compliance on current users.Implementation
Choose the approach that matches how you manage Terraform.
Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.
resource "aws_iam_account_password_policy" "this" {
max_password_age = 90
minimum_password_length = 14
password_reuse_prevention = 24
require_lowercase_characters = true
require_numbers = true
require_symbols = true
require_uppercase_characters = true
}What this control checks
The policy engine checks the aws_iam_account_password_policy resource. minimum_password_length must be 8 or higher, and require_lowercase_characters, require_uppercase_characters, require_numbers, and require_symbols must each be true. Set allow_users_to_change_password to true as well so users can self-service rotations. If the resource is absent, the account falls back to AWS defaults, which fails this control. Only one aws_iam_account_password_policy can exist per account.
Common pitfalls
Existing passwords are not retroactively enforced
Tightening the policy doesn't touch existing passwords. A user with a 6-character password keeps it until their next rotation. Set max_password_age in aws_iam_account_password_policy and use aws iam update-login-profile --password-reset-required to force rotation on accounts that need immediate compliance.
Only one password policy per account
The aws_iam_account_password_policy resource is a singleton. Multiple Terraform stacks competing to manage it will conflict and potentially drift. Bring the existing policy into one state file with terraform import, then manage it from a dedicated identity stack.
Minimum length of exactly 8 may not satisfy stricter frameworks
Passing this control at 8 characters doesn't mean you're done. PCI DSS v4.0 requirement 8.3.6 requires 12 characters minimum (or 8 if the platform doesn't support 12). Setting minimum_password_length to 14 covers most frameworks at once and avoids rework when audit scope expands.
Policy does not apply to root or federated users
The IAM password policy covers IAM user console passwords only. Root account passwords, SSO users, and credentials from external identity providers are out of scope entirely. Root password strength and federated access controls need separate attention.
Audit evidence
aws iam get-account-password-policy output shows MinimumPasswordLength, RequireLowercaseCharacters, RequireUppercaseCharacters, RequireNumbers, and RequireSymbols. The Config rule iam-password-policy provides continuous evaluation status. IAM console screenshots from Account Settings are also accepted. For multi-account environments, Security Hub findings showing PASSED status across member accounts work as aggregated evidence.
Framework-specific interpretation
PCI DSS v4.0: Requirement 8.3.6 mandates a minimum of 12 characters (or 8 if the platform doesn't support 12) plus both numeric and alphabetic characters. This control passes at 8, but setting minimum_password_length to 12 or higher is the safer path to fully satisfy 8.3.6 without a compensating control discussion.
HIPAA Omnibus Rule 2013: 45 CFR 164.312(d) requires person or entity authentication as a technical safeguard for ePHI. A configured IAM password policy is one concrete mechanism for ensuring only authorized workforce members can authenticate to the AWS console.
ISO/IEC 27001:2022: Annex A control A.8.5 (Secure Authentication) expects passwords to meet defined strength criteria. The aws_iam_account_password_policy resource is one way to document and enforce those criteria in Terraform.
GDPR: Weak or undefined IAM password policies raise the likelihood of unauthorized access to systems processing personal data. Article 32 calls for appropriate technical measures to prevent exactly that.
NIS2 Directive (EU 2022/2555): Article 21 expects risk management measures to include access controls and authentication. Without an explicit policy, there's no enforceable standard for IAM user credentials, which is exactly the gap NIS2 scrutiny will surface.
NIST SP 800-53 Rev 5: IA-5 and IA-5(1) cover authenticator management and password complexity enforcement. SP 800-63B sets 8 characters as the minimum for memorized secrets, which is what this control enforces. Organizations targeting higher assurance levels typically push minimum_password_length to 12 or 14.
FedRAMP Moderate Baseline Rev 4: At the Moderate baseline, IA-5 (Authenticator Management) requires password-based authenticators to enforce minimum length and complexity. For IAM users, an explicit aws_iam_account_password_policy resource is the direct implementation of that requirement.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
- Compliance.tf Control:
iam_account_password_policy_strong_min_length_8 - AWS Config Managed Rule:
IAM_PASSWORD_POLICY - Checkov Check:
CKV_AWS_10 - Powerpipe Control:
aws_compliance.control.iam_account_password_policy_strong_min_length_8 - Prowler Checks:
iam_password_policy_lowercase,iam_password_policy_minimum_length_14,iam_password_policy_number,iam_password_policy_symbol,iam_password_policy_uppercase - AWS Security Hub Controls:
IAM.10,IAM.7 - Trivy Check:
AWS-0063
Last reviewed: 2026-03-09