AWS IAM Password Policy
We can set a password policy on our AWS account to specify complexity requirements and mandatory rotation periods for our IAM users’ passwords.
The following options can be set within the Password Policy:
- Set a minimum password length.
- Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that passwords are case sensitive.
- Allow all IAM users to change their own passwords.
When you allow your IAM users to change their own passwords, IAM automatically allows them to view the password policy. IAM users need permission to view the account’s password policy in order to create a password that complies with the policy.
- Require IAM users to change their password after a specified period (enable password expiration).
- Prevent IAM users from reusing previous passwords.
- Force IAM users to contact an account administrator when the user has allowed his or her password to expire.
The password settings within the policy apply only to passwords assigned to IAM users and do not affect any access keys they might have. If a password expires, the user cannot sign in to the AWS Management Console. However, if the user has valid access keys, then the user can still run any AWS CLI or Tools for Windows PowerShell commands. Users can also call any API operations through an application that the user’s permissions allow.
When you create or change a password policy, most of the password policy settings are enforced the next time your users change their passwords. However, some of the settings are enforced immediately.