AWS IAM user passwords should require at least 8 characters and include a variety of character types.
AWS IAM Users are intended to serve as identities for natural persons who log into AWS, either through the console or via access keys issued for use with the AWS Command Line Interface (CLI) and Software Development Kits (SDK). As these IAM User entities are intended for use by human users, they can utilise a username and password to access the AWS web console.
To manage the security of IAM User passwords AWS provides an account-wide IAM password policy. The default password policy accepts passwords with a length of at least 8 characters, however, this is the minimum acceptable password length advised by the current National Institute of Standards and Technology (NIST) password requirements, detailed in document SP 800-63B.
Considering the data and cost sensitivities of access to an AWS Account we advise setting the minimum password length to the recommended password length of 15 characters.
We recommend setting the minimum password length to 15 characters, rather than the default minimum length of 8 characters. Longer passwords provide enhanced security but also encourage pass “phrases” rather than short pass “words”. Passphrases may be easier for users to remember as well as guaranteeing a more resistant password to brute force attacks.
Our general password policy is detailed in our guidance article summarising our enterprise standard password policy.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
