MEDIUM IAM · CIS 1.8

Password policy strength

Check ID: aws-iam-006

AWS-IAM-006 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the account password policy meets CIS requirements (min 14 chars, uppercase, lowercase, numbers, symbols).

Why it matters

The default AWS password policy requires only 6 characters with no complexity requirements, making brute-force attacks trivial. NIST 800-63B recommends a minimum of 8 characters, while CIS AWS Benchmark requires 14. Weak passwords are routinely cracked in credential stuffing attacks using databases from previous breaches - the Have I Been Pwned database contains over 800 million compromised passwords. A strong password policy combined with MFA provides defense in depth. Setting password reuse prevention to 24 generations and max age to 90 days ensures that compromised passwords are rotated out before they can be exploited in subsequent attacks.

Common causes

Password policy remains at AWS defaults because the account was set up years ago before security hardening was a priority. Teams that rely exclusively on SSO for authentication may not realize the IAM password policy still applies to local IAM users created for service accounts or legacy integrations. Automated account provisioning scripts often skip the password policy configuration step entirely.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam update-account-password-policy --minimum-password-length 14 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --max-password-age 90 --password-reuse-prevention 24

Remediation: Terraform

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_uppercase_characters   = true
  require_numbers                = true
  require_symbols                = true
  max_password_age               = 90
  password_reuse_prevention      = 24
}

Compliance mapping

This check maps to CIS 1.8 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks