Prowler Hub

IAM password policy requires at least one uppercase letter

iam_password_policy_uppercase

Serviceiam

IAM account password policy enforces the presence of at least one uppercase letter (A-Z) in IAM user passwords.

This evaluates whether the uppercase complexity rule is enabled for console passwords.

Risk

Without an uppercase requirement, passwords have lower entropy, enabling brute force, credential stuffing, and offline cracking. Compromised IAM users can access the console, threatening confidentiality (data exposure), integrity (unauthorized changes), and availability (resource deletion).

Run this check with Prowler CLI

prowler aws --checks iam_password_policy_uppercase

Run in Prowler Cloud

Fix finding with Prowler CLI

prowler aws --checks iam_password_policy_uppercase --fixer

Recommendation

Enable the uppercase rule within a strong password policy that also requires length, lowercase, numbers, and symbols. Pair with MFA and least privilege to reduce blast radius. Regularly review policy effectiveness and prefer federated SSO to minimize long-lived IAM passwords.

Remediation

CLI

aws iam update-account-password-policy --require-uppercase-characters

Native IaC

Terraform

Other

In the AWS Console, go to IAM
Open Account settings > Password policy > Edit
Check "Require at least one uppercase letter (A-Z)"
Click Save changes

Source Code

Resource Type

AwsIamPolicy

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

Check MetadataEdit

Check CodeEdit

Fixer CodeEdit