Ensure IAM password policy expires passwords within 90 days or less

IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios: - Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat. - Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. - Many people use the same password for many systems such as work, email, and personal. - Compromised end user workstations might have a keystroke logger.

Risk Level: Low
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.AWS.IAM.15
Covered by Spectral: No
Category: Security, Identity, & Compliance


Iam should have passwordPolicy.maxPasswordAge>0 and passwordPolicy.maxPasswordAge<91


From Portal
Perform the following steps to set the password policy via AWS Console.

  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
  2. Go to IAM Service on the AWS Console
  3. Click on Account Settings on the Left Pane
  4. Check 'Enable password expiration'
  5. Set 'Password expiration period (in days):' to 90 or less

From TF

resource "aws_iam_account_password_policy" "strict" {
	max_password_age               = TYPE_VALUE <= 90

From Command Line

aws iam update-account-password-policy --max-password-age 90


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • AWS CIS Foundations v. 1.0.0
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset