Password Policy

Accounts may optionally be associated with a single password policy which dictates the minimum password complexity for account users, to avoid potentially weak password. Password policies consist of the following components1:

  • AllowUsersToChangePassword: Boolean allowing users to change their own passwords from the AWS console. (Default value: false)
  • HardExpiry: Boolean indicating that users will be unable to reset their password via the AWS Console after their current password has expired. (Default value: false)
  • MaxPasswordAge: The number of days that a password is valid for, no less than 0 but not exceeding 1095 (with 0 indicating that the password never expires). (Default value: 0)
  • MinimumPasswordLength: The minimum number of password characters, no less than 6 but not exceeding 128. (Default value: 6)
  • PasswordReusePrevention: The number of previous passwords that account users are prevented from reusing.
  • RequireLowercaseCharacters: Boolean indicating that passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). (Default value: false)
  • RequireNumbers: Boolean indicating that passwords must contain at least one numeric character (0 to 9). (Default value: false)
  • RequireSymbols: Boolean indicating passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' (Default value: false)
  • RequireUppercaseCharacters: Boolean indicating passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). (Default value: false)

CLI Overview

Example 1: Creating/Updating Password Policy

See here for additional CLI arguments. Fields not specified in the arguments are set to their default values.

Command

aws iam update-account-password-policy

Example 2: Fetch Account Password Policy

Command

aws iam get-account-password-policy

Output

{
    "PasswordPolicy": {
        "MinimumPasswordLength": 6,
        "RequireSymbols": false,
        "RequireNumbers": false,
        "RequireUppercaseCharacters": false,
        "RequireLowercaseCharacters": false,
        "AllowUsersToChangePassword": false,
        "ExpirePasswords": false
    }
}

Example 3: Deleting Account Password Policy

Command

aws iam delete-account-password-policy

  1. https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html ↩︎