iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that the AWS Identity and Access Management (IAM) password policy requires users to include at least one symbol (special character) in their passwords. Enforcing symbol usage strengthens password complexity, making it significantly harder for attackers to guess or brute-force credentials.

Rationale:
Requiring at least one symbol in IAM user passwords increases password entropy and enhances resistance against automated password-cracking attacks. Complex passwords protect against unauthorized access to AWS accounts, helping maintain the integrity and confidentiality of cloud resources. This aligns with best practices for identity management and supports compliance with frameworks such as CIS, SOC 2, ISO 27001, and NIST SP 800-63B.

Impact:
Positive Impact: Improves account security by enforcing strong password complexity and reducing the likelihood of successful brute-force or dictionary attacks.
Negative Impact: May cause mild inconvenience to users during password creation if they are unaware of the updated complexity requirements.

Default Value:
By default, the AWS IAM password policy does not require symbols unless explicitly configured.

Pre-Requisite:

• IAM permissions required: iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console using an account with IAM administrative privileges.

2. Navigate to IAM → Account settings → Password policy.

3. Check the option Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] {} | ' , . / ?).

4. If this option is not selected, the account is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Account settings → Password policy.

2. Click Edit password policy.

3. Select the checkbox Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] {} | ' , . / ?).

4. (Optional) Review and enable additional best-practice options such as:

   • Minimum password length of 14 characters.

   • Require at least one uppercase and one lowercase letter.

   • Require at least one number.

   • Prevent password reuse.

5. Click Save changes.
   
   

Backout Plan:

1. If password creation issues arise, temporarily uncheck the “Require at least one symbol” option.

2. Communicate password format requirements to users and re-enable the setting once users are informed.
   
   

References:

• AWS IAM Password Policy Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.6

• NIST SP 800-63B – Digital Identity Guidelines

• AWS Security Best Practices Whitepaper