Ensure IAM password policy require at least one lowercase letter

It is recommended that the password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords consist of different character sets. Setting a password complexity policy increases account resiliency against brute force login attempts.

Risk Level: Low
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.AWS.IAM.09
Category: Security, Identity, & Compliance

GSL LOGIC

Iam should have passwordPolicy.requireLowercaseCharacter=true

REMEDIATION

From Portal
Perform the following to set the password policy as prescribed:

  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
  2. Go to IAM Service on the AWS Console
  3. Click on Account Settings on the Left Pane
  4. Check 'Requires at least one lowercase letter'
  5. Click 'Apply password policy'

From TF

resource "aws_iam_account_password_policy" "test" {
	minimum_password_length        = 8
	+ require_lowercase_characters   = true
	require_numbers                = true
	require_uppercase_characters   = true
	require_symbols                = true
	allow_users_to_change_password = true
}

From Command Line
To add a password policy with required condition, run:

aws iam update-account-password-policy --require-lowercase-characters

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  2. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  3. https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html
  4. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-password-policy.html
  6. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0