Weak credential policy - Password strength

Need

Implementation of a strong password policy

Context

• Usage of CloudFormation for Infrastructure as Code (IaC)

• Usage of AWS IAM for managing user access and permissions

Description

1. Non compliant code

Resources:
  WeakIAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: my-user

  WeakLoginProfile:
    Properties:...

This CloudFormation example creates an IAM user but does not enforce any account-level password policy. Without such a policy, users can set weak passwords, making accounts more susceptible to brute-force or guessing attacks.

2. Steps

• Add an `AWS::IAM::AccountPasswordPolicy` resource to the CloudFormation template.

• Set `MinimumPasswordLength` to at least 14.

• Require uppercase, lowercase, numeric, and special characters.

• Optionally configure password reuse prevention and expiration.

• Educate users on strong password usage and enforce MFA where possible.

3. Secure code example

Resources:
  StrongPasswordPolicy:
    Type: AWS::IAM::AccountPasswordPolicy
    Properties:
      MinimumPasswordLength: 14
      RequireUppercaseCharacters: true
      RequireLowercaseCharacters: true
      RequireSymbols: true...

This CloudFormation example includes a strong password policy using the AWS::IAM::AccountPasswordPolicy resource. It enforces complexity requirements such as minimum length, uppercase, lowercase, numbers, symbols, and password expiration.

References

• 363. Weak credential policy - Password strength

On this page