iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that the AWS Identity and Access Management (IAM) password policy requires all user passwords to contain at least one numeric character (0–9). Enforcing the inclusion of numbers strengthens password complexity and helps protect against brute-force and dictionary attacks targeting weak or predictable passwords.

Rationale:
Requiring at least one number in passwords increases entropy and decreases the likelihood of successful password guessing or credential compromise. Complex passwords combining letters, numbers, and symbols are significantly harder to crack, reducing the risk of unauthorized account access. Enforcing this requirement supports compliance with security frameworks such as CIS, ISO 27001, SOC 2, and NIST SP 800-63B.

Impact:
Positive Impact: Improves IAM credential security by making passwords more resistant to automated cracking attempts and credential reuse.
Negative Impact: May slightly inconvenience users who are unaware of the password complexity rules during initial setup.

Default Value:
By default, AWS does not require numeric characters in passwords unless explicitly configured.

Pre-Requisite:

• IAM permissions required: iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console with administrative privileges.

2. Navigate to IAM → Account settings → Password policy.

3. Check whether the option “Require at least one number” is selected.

4. If this option is not selected, the account is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Account settings → Password policy.

2. Click Edit password policy.

3. Select the checkbox “Require at least one number (0–9).”

4. (Optional) Enable other complexity settings such as uppercase, lowercase, and symbols for stronger password requirements.

5. Click Save changes.
   
   

Backout Plan:

1. If password creation issues occur for users, temporarily disable the numeric requirement and re-enable it after proper user communication.

2. Provide password creation guidelines to all IAM users to prevent lockout issues.
   
   

References:

• AWS IAM Password Policy Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.5

• NIST SP 800-63B – Digital Identity Guidelines

• AWS Security Best Practices Whitepaper