This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. 

Priority: High   

Category: Centralized Controls Management 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Does the company specify a degree of complexity including minimum requirements for each type? Does the company require a different password when new passwords are created?


  • Enforce Password Complexity and Change
    Description: This check ensures that organizations enforce minimum password complexity and require the change of characters when new passwords are created. Password complexity refers to the requirements for the composition of passwords, such as the use of a combination of uppercase and lowercase letters, numbers, and special characters. Requiring the change of characters means that a certain number of characters must be changed when creating a new password, compared to the previous password. These measures help strengthen password security and mitigate the risk of unauthorized access through brute force attacks. Organizations should establish password complexity policies and define the minimum complexity requirements and password change frequency based on industry best practices and security guidelines.

More Details:   

Comprehensive password policies are in place via the company cybersecurity handbook and employee training.