Profile Applicability:

  • Level 1

Description:

This control ensures that the AWS Identity and Access Management (IAM) password policy requires all user passwords to contain at least one uppercase (capital) letter. Enforcing uppercase character usage strengthens password complexity, making it more resistant to brute-force and dictionary-based attacks. 

Rationale:

Passwords that include a mix of uppercase, lowercase, numeric, and symbolic characters have significantly higher entropy, making them harder to guess or crack. Requiring at least one uppercase letter ensures that user passwords cannot consist solely of predictable or simple patterns. This aligns with password best practices and compliance frameworks such as CIS, SOC 2, ISO 27001, and NIST SP 800-63B, which recommend enforcing character diversity in password creation. 

Impact:

  • Positive Impact: Enhances IAM account security by enforcing stronger and more unpredictable passwords.

  • Negative Impact: May slightly inconvenience users who are unaware of complexity rules during password setup. 


Default Value:

By default, AWS does not require passwords to contain uppercase letters unless explicitly configured in the IAM password policy. 

Pre-Requisite:

  • IAM permissions required: iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console with administrative privileges.

  2. Navigate to IAM → Account settings → Password policy.

  3. Check whether the setting “Require at least one uppercase letter” is selected.

  4. If this option is not selected, the account is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to IAM → Account settings → Password policy.
  2. Click Edit password policy.
  3. Select the checkbox “Require at least one uppercase letter (A–Z)”.
  4. (Optional) Enable additional password complexity settings such as:

    • Require lowercase letters, numbers, and symbols.

    • Set a minimum password length (e.g., 14 characters).

    • Enable password expiration and prevent reuse.

  5. Click Save changes.


Backout Plan:

Using AWS Console:

  1. If users experience issues logging in or creating passwords, temporarily disable the uppercase requirement.
  2. Communicate password policy changes to users and re-enable the requirement once training or support materials are provided.

References: