IAM password policy requires at least one lowercase letter
iam_password_policy_lowercase
IAM password policy requires at least one lowercase character in user passwords via the Require lowercase setting
Risk
Without a lowercase requirement, passwords have reduced entropy, making brute force and password spraying more effective. Compromised IAM users can enable unauthorized access and changes, risking confidentiality, integrity, and availability of AWS resources.
Run this check with Prowler CLI
prowler aws --checks iam_password_policy_lowercase
Fix finding with Prowler CLI
prowler aws --checks iam_password_policy_lowercase --fixer
Recommendation
Adopt a strong password policy that:
- Enables
Require at least one lowercase letterplus uppercase, number, and symbol - Sets sufficient length and blocks reuse
- Requires MFA for all users
- Applies least privilege to limit blast radius
Remediation
CLI
aws iam update-account-password-policy --require-lowercase-characters
Native IaC
Terraform
Other
- In the AWS Console, open IAM
- Go to Account settings
- In Password policy, click Edit
- Check "Require at least one lowercase letter (a-z)"
- Click Save changes
Source Code
Resource Type
AwsIamPolicy