Drata validates that the AWS IAM password policy requires a minimum length of 14 characters or greater.
Password policies are, in part, used to enforce password complexity requirements. IAM
password policies can be used to ensure password are at least a given length. It is
recommended that the password policy require a minimum password length 14.
Setting a password complexity policy increases account resiliency against brute force
login attempts.
ASSOCIATED DRATA CONTROL
This test is part of the Minimum Strong Password Requirements control (DCF-346) and Password Policy and Configuration (DCF-68). Minimum password requirements are enforced on system components including a minimum length of 12 characters (or if the system does not support 12 characters, a minimum length of eight characters) and complexity requirements to include both numbers and letters. Password Policy and Configuration control ensures that your company has a documented policy outlining the minimum requirements for passwords used for authentication to organizational systems. Password requirements are enforced for all systems in accordance with company policy.
WHAT TO DO IF A TEST FAILS
If Drata finds that the current AWS IAM password policy configurations are set for fewer than 14 characters, the test will fail.
STEPS TO REMEDIATE
Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
Go to IAM Service on the AWS Console.
Click on Account Settings on the left pane.
Set 'Minimum password length' to 14 or greater.
Click 'Apply password policy'.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.