Password policies are used to enforce the creation and use of password complexity. Your IAM password policy should require passwords to be rotated or expired within a specified timeframe, we recommend passwords expire after 90 days or less.
Reducing the lifetime of a password by enforcing regular password changes increases account resilience towards:
- Brute force attack;
- Passwords being stolen or compromised, sometimes without your knowledge;
- Web filters and proxy servers intercepting and recording traffic, including encrypted data;
- Use of the same user password across work, email, and personal systems; and
- End user workstations compromised by a keystroke logger.
To change the password policy in the AWS Console you will need appropriate permissions to View Identity Access Management Account Settings.
To manually set the password policy with a minimum length, use the following command:
- Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
- Navigate to IAM Services.
- On the Left Pane click Account Settings.
- Select Enable password expiration .
- For Password expiration period (in days)" enter 90** or less.
- Click Apply password policy.
Change the password policy using CLI command:
aws iam update-account-password-policy --max-password-age 90
Updated 12 months ago