IAM account password policy enforces password expiration within 90 days or less
iam_password_policy_expires_passwords_within_90_days_or_less
IAM account password policy sets a password expiration period for IAM user console logins; configuration is aligned when rotation is enabled and set to <= 90 days.
Risk
Without rotation, stale passwords persist, enabling credential stuffing, brute force, and password reuse attacks. A compromised IAM user can retain console access, enabling data exfiltration, privilege escalation, and loss of confidentiality and integrity.
prowler aws --checks iam_password_policy_expires_passwords_within_90_days_or_less
prowler aws --checks iam_password_policy_expires_passwords_within_90_days_or_less --fixer
Recommendation
Enforce password rotation at <= 90 days and prevent reuse. Pair with MFA, strong length/complexity, and prefer federation/SSO to reduce static passwords. Apply least privilege, monitor sign-ins, and remove inactive console passwords to limit exposure.
Remediation
aws iam update-account-password-policy --max-password-age 90
- In the AWS Console, go to IAM
- Select Account settings
- In Password policy, click Edit
- Check Enable password expiration and set Password expiration period (days) to 90 or less
- Click Save changes
Source Code
Resource Type
AwsIamPolicy