MEDIUM
Source
Trivy/CSPM
CSPM ID
minimum-password-length
Frameworks

CIS AWS 1.2

CIS AWS 1.4

ID
AVD-AWS-0063

IAM Password policy should have minimum password length of 14 or more characters.

IAM account password policies should ensure that passwords have a minimum length.

The account password policy should be set to enforce minimum password length of at least 14 characters.

Impact

Short, simple passwords are easier to compromise

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for IAM. Step
  3. Scroll down the left navigation panel and choose “Account Settings”. Step
  4. Under the “Password Policy” configuration panel scroll down and check the “Minimum Password Length”. If the password length is set less than 8 characters than the password security is at risk. Step
  5. Click on the “Minimum Password Length” checkbox and mention the minimum characters required to 14. Click the checkbox against “Require at least one uppercase letter” and “Require at least one lowercase letter” to make the password more secure. Step
  6. Click on the “Apply Password Policy” button to make the necessary changes.Step
  7. Now “Password Policy” requires at least 14 characters with one uppercase and one lowercase character for a strong and secure password.

Enforce longer, more complex passwords in the policy

1
2
3
resource "aws_iam_account_password_policy" "good_example" {
  minimum_password_length = 14
}