Ensure AWS IAM password policy expires in 90 days or less

Error: AWS IAM password policy does not expire in 90 days

Bridgecrew Policy ID: BC_AWS_IAM_11
Checkov Check ID: CKV_AWS_9
Severity: MEDIUM

AWS IAM password policy does not expire in 90 days


Password policies are used to enforce the creation and use of password complexity. Your IAM password policy should require passwords to be rotated or expired within a specified timeframe, we recommend passwords expire after 90 days or less.

Reducing the lifetime of a password by enforcing regular password changes increases account resilience towards:

  • Brute force attack;
  • Passwords being stolen or compromised, sometimes without your knowledge;
  • Web filters and proxy servers intercepting and recording traffic, including encrypted data;
  • Use of the same user password across work, email, and personal systems; and
  • End user workstations compromised by a keystroke logger.

Fix - Runtime

AWS Console

To change the password policy in the AWS Console you will need appropriate permissions to View Identity Access Management Account Settings.

To manually set the password policy with a minimum length, use the following command:

  1. Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
  2. Navigate to IAM Services.
  3. On the Left Pane click Account Settings.
  4. Select Enable password expiration .
  5. For Password expiration period (in days)" enter 90** or less.
  6. Click Apply password policy.

CLI Command

Change the password policy using CLI command:

aws iam update-account-password-policy --max-password-age 90

Fix - Buildtime


resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 8
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  apassword_reuse_prevention     = 24
  max_password_age               = 89