IAM Password policy should have minimum password length of 14 or more characters.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
The IAM password policy allows users to create passwords shorter than 14 characters, which weakens password strength and increases susceptibility to brute-force or guessing attacks. The configuration does not enforce a sufficiently long minimum password length.
Impact#
Short passwords are easier for attackers to compromise through automated guessing or brute-force attacks, potentially leading to unauthorized access to AWS resources and increased risk of account takeover or data breaches.
Resolution#
Enforce longer, more complex passwords in the policy