iam-password-policy - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Checks if the account password policy for Amazon Identity and Access Management (IAM) users meets the specified requirements indicated in the parameters. The rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.


The true and false values for the rule parameters are case-sensitive. If true is not provided in lowercase, it will be treated as false.


This rule is marked as NON-COMPLIANT when the default IAM password policy is used.


The AWS::IAM::User resource type can only be recorded by Amazon Config in Regions where Amazon Config was available before February 2022. AWS::IAM::User cannot be recorded in Regions supported by Amazon Config after February 2022.

Additionally, if you have selected to record AWS::IAM::User in at least one Region, periodic rules such as this rule that report compliance on AWS::IAM::User will run evaluations on AWS::IAM::User in all Regions where the periodic rule is added, even if you have not enabled the recording of AWS::IAM::User in the Region where the periodic rule was added.

You should only deploy this rule to one of the supported Regions to avoid unnecessary evaluations and API throttling. Not enabling the recording of global IAM resource types will not prevent this rule from running evaluations, if you have enable the recording of global IAM resource types in another Region. To avoid unnecessary evaluations, you should limit the deployment of this rule to one Region.


Trigger type: Periodic

Amazon Web Services Region: All supported Amazon regions except Israel (Tel Aviv), Canada West (Calgary) Region


RequireUppercaseCharacters (Optional)
Type: boolean
Default: true

Require at least one uppercase character in password.

RequireLowercaseCharacters (Optional)
Type: boolean
Default: true

Require at least one lowercase character in password.

RequireSymbols (Optional)
Type: boolean
Default: true

Require at least one symbol in password.

RequireNumbers (Optional)
Type: boolean
Default: true

Require at least one number in password.

MinimumPasswordLength (Optional)
Type: int
Default: 14

Password minimum length.

PasswordReusePrevention (Optional)
Type: int
Default: 24

Number of passwords before allowing reuse.

MaxPasswordAge (Optional)
Type: int
Default: 90

Number of days before password expiration.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.