iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that the AWS Identity and Access Management (IAM) password policy enforces a minimum password length of 14 characters or greater. Setting a longer password length improves password strength and significantly reduces the risk of successful brute-force or dictionary-based attacks.

Rationale:
Password length is one of the most critical factors in password strength. Short passwords are easier for attackers to guess or crack using automated tools. Enforcing a minimum password length of 14 or more characters ensures higher entropy, making passwords more resilient against brute-force and credential-stuffing attacks. This measure aligns with compliance frameworks such as CIS, ISO 27001, SOC 2, and NIST SP 800-63B, which recommend strong password length requirements to maintain account integrity.

Impact:
Positive Impact: Strengthens overall IAM account security by enforcing strong password creation standards and reducing the likelihood of compromise through weak credentials.
Negative Impact: Users may find it slightly inconvenient to create and remember longer passwords, but this can be mitigated with password managers or passphrases.

Default Value:
By default, AWS does not enforce a minimum password length requirement unless explicitly configured in the IAM password policy.

Pre-Requisite:

• IAM permissions required: iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console with administrative privileges.

2. Navigate to IAM → Account settings → Password policy.

3. Review the setting “Minimum password length.”

4. Verify that the minimum password length is set to 14 or greater.

5. If the value is less than 14, the account is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Account settings → Password policy.

2. Click Edit password policy.

3. Set “Minimum password length” to 14 or greater (e.g., 16).

4. (Optional) Enable additional password complexity settings, such as requiring uppercase letters, lowercase letters, numbers, and symbols.

5. Click Save changes.
   
   

Backout Plan:

1. If users experience login issues or password creation difficulties, temporarily reduce the minimum length requirement (e.g., from 16 to 14) while communicating the change.

2. Provide password management guidance and training to users to support compliance with the policy.
   
   

References:

• AWS IAM Password Policy Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.3

• NIST SP 800-63B – Digital Identity Guidelines

• AWS Security Best Practices Whitepaper