aws_03_iam_password_policy.py
AWS has no default IAM password policy. If no policy is configured, users can set passwords of any length with no complexity, no expiry, and no reuse restrictions. Most organisations configure something — but something is not the same as compliant. A policy with minimum length of 8 and no symbol requirement will satisfy nobody's auditor. This check catches partial configurations as well as absent ones, down to the individual sub-control.
You are supporting a PCI DSS QSA review. Requirement 8.3 asks for a documented and enforced password complexity policy. You run this script. It returns FAIL: three of seven sub-checks are failing — password length is set to 8 characters, symbols are not required, and reuse prevention is set to 5 (not 24). Each sub-check failure is a separate line item in the report with the actual value versus the required threshold.
aws_03_iam_password_policy.py calls iam:GetAccountPasswordPolicy and evaluates seven individual sub-checks against CIS thresholds: minimum length (≥14), uppercase, lowercase, numbers, symbols, max password age (≤365 days), and reuse prevention (≥24). Each sub-check produces its own PASS/FAIL with the actual value, and the overall result is FAIL if any sub-check fails. If no policy exists, all seven fail and the risk is rated CRITICAL.
Regulation coverage: NIST CSF PR.AC-1 | SOX ITGC AC-03 | PCI DSS 8.3 | ISO 27001 A.9.4.3 | FFIEC CAT | HIPAA §164.312
Prerequisites: pip install boto3 · iam:GetAccountPasswordPolicy · sts:GetCallerIdentity
# Install dependency $ pip install boto3 # Run with default credentials $ python3 aws_03_iam_password_policy.py # Named profile $ python3 aws_03_iam_password_policy.py --profile my-audit-role # Save JSON evidence $ python3 aws_03_iam_password_policy.py --profile my-audit-role --save # JSON only $ python3 aws_03_iam_password_policy.py --json-only | jq .sub_checks
✓ RESULT: PASS Sub-check detail ────────────────────────────────────────────────────────────── CIS Check Actual Result ────────────────────────────────────────────────────────────── 1.8 Min password length >= 14 14 ✓ PASS 1.8 Require uppercase characters True ✓ PASS 1.8 Require lowercase characters True ✓ PASS 1.8 Require numbers True ✓ PASS 1.8 Require symbols True ✓ PASS 1.9 Max password age <= 365 days 90 ✓ PASS 1.11 Password reuse prevention >= 24 24 ✓ PASS
✗ RESULT: FAIL Risk Rating HIGH Sub-check detail ────────────────────────────────────────────────────────────── CIS Check Actual Result ────────────────────────────────────────────────────────────── 1.8 Min password length >= 14 8 ✗ FAIL 1.8 Require uppercase characters True ✓ PASS 1.8 Require lowercase characters True ✓ PASS 1.8 Require numbers True ✓ PASS 1.8 Require symbols False ✗ FAIL 1.9 Max password age <= 365 days NOT SET ✗ FAIL 1.11 Password reuse prevention >= 24 5 ✗ FAIL
Regulation map
| Framework | Control / Clause | Obligation |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identities and credentials must be managed for authorised devices, users, and processes. Weak password policy is a direct gap. |
| SOX ITGC | AC-03 | Password controls for financial system access must meet documented complexity standards. Each sub-check failure is a reportable gap. |
| PCI DSS v4.0 | 8.3 | Passwords must meet minimum complexity and length requirements. PCI thresholds align closely with CIS 1.8 requirements. |
| ISO 27001:2022 | A.9.4.3 | Password management systems must enforce quality requirements. An absent or weak AWS password policy breaches this control. |
| FFIEC CAT | Baseline — IAM | Financial institutions must enforce password complexity for all system access. Sub-check failures require documented remediation timelines. |
| HIPAA Security Rule | §164.312(d) | Password management procedures must ensure that passwords used to protect ePHI meet minimum security standards. |
Feedback welcome: Corrections, ideas, and requests — grcguy@rtapulse.com.
Request an addition