Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Automating IAM Password Policy Configuration Across Your Organization
A practical guide to implementing organization-wide password policies using CloudFormation StackSets
The Challenge
Organizations with multiple AWS accounts need consistent IAM password policies to maintain security standards and compliance requirements. Manual configuration of password policies across hundreds of accounts becomes impractical and creates security gaps. Organizations need automated deployment that enforces password complexity, length requirements, and reuse prevention organization-wide without ongoing maintenance overhead.
This best practice is supported by CIS AWS Foundations Benchmark v3.0.0 IAM.15 (password length) and IAM.16 (password reuse prevention) controls, which require comprehensive password policy configuration.
Manual vs Automated Password Policy Management
Manual password policy configuration creates operational challenges and compliance gaps compared to automated organization-wide deployment:
Manual Configuration Problems:
- Scale Management: Configuring password policies individually across hundreds of accounts
- Consistency Issues: Different accounts may have varying password requirements
- Compliance Gaps: New accounts may lack proper password policies
- Operational Overhead: Manual updates required when policy requirements change
Automated Benefits:
- Organization-wide Consistency: Standardized password policies across all accounts
- Automatic Application: New accounts receive password policies automatically
- Compliance Assurance: Guaranteed policy deployment without manual intervention
- Centralized Management: Single deployment manages all account password policies
Implementation Approach
CloudFormation StackSets provide scalable deployment using Lambda-backed custom resources to call the IAM Account Management API. AWS CloudFormation lacks native support for account-level password policy configuration, making custom resources the standard implementation approach. The solution deploys consistently across all accounts and automatically applies to new accounts when configured with automatic deployment.
CloudFormation Template
AWSTemplateFormatVersion: '2010-09-09' Parameters: MinimumPasswordLength: Type: Number Default: 14 Description: Minimum password length (CIS IAM.15 requires 14 or greater) PasswordReusePrevention: Type: Number Default: 24 Description: Number of previous passwords to prevent reuse (CIS IAM.16) MaxPasswordAge: Type: Number Default: 90 Description: Maximum password age in days Resources: AccountPasswordPolicy: Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: !GetAtt PasswordPolicyFunction.Arn MinimumPasswordLength: !Ref MinimumPasswordLength PasswordReusePrevention: !Ref PasswordReusePrevention MaxPasswordAge: !Ref MaxPasswordAge PasswordPolicyFunction: Type: AWS::Lambda::Function Properties: Runtime: python3.12 Handler: index.handler Role: !GetAtt LambdaExecutionRole.Arn Code: ZipFile: | import boto3 import cfnresponse def handler(event, context): try: iam = boto3.client('iam') if event['RequestType'] == 'Create' or event['RequestType'] == 'Update': iam.update_account_password_policy( MinimumPasswordLength=int(event['ResourceProperties']['MinimumPasswordLength']), PasswordReusePrevention=int(event['ResourceProperties']['PasswordReusePrevention']), MaxPasswordAge=int(event['ResourceProperties']['MaxPasswordAge']), RequireSymbols=True, RequireNumbers=True, RequireUppercaseCharacters=True, RequireLowercaseCharacters=True, AllowUsersToChangePassword=True ) cfnresponse.send(event, context, cfnresponse.SUCCESS, {}) except Exception as e: print(f"Error: {str(e)}") cfnresponse.send(event, context, cfnresponse.FAILED, {}) LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: PasswordPolicyManagement PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - iam:UpdateAccountPasswordPolicy - iam:GetAccountPasswordPolicy Resource: '*'
Deployment Strategy
Deploy using CloudFormation StackSets from the management account or delegated administrator. Target organizational units based on governance requirements and enable automatic deployment for new accounts.
# Create StackSet aws cloudformation create-stack-set \ --stack-set-name iam-password-policy-stackset \ --template-body file://iam-password-policy.yaml \ --capabilities CAPABILITY_IAM \ --parameters ParameterKey=MinimumPasswordLength,ParameterValue=14 \ ParameterKey=PasswordReusePrevention,ParameterValue=24 # Deploy to organization aws cloudformation create-stack-instances \ --stack-set-name iam-password-policy-stackset \ --deployment-targets OrganizationalUnitIds=ou-1234567890abcdef \ --regions us-east-1 \ --operation-preferences MaxConcurrentPercentage=100
CIS Controls Satisfied
This implementation satisfies multiple CIS AWS Foundations Benchmark v3.0.0 controls:
IAM.15 - Password Policy Length:
- Enforces minimum password length of 14 characters or greater
- Configurable parameter allows adjustment based on organizational requirements
IAM.16 - Password Reuse Prevention:
- Prevents reuse of previous 24 passwords (configurable)
- Maintains password history to enforce uniqueness requirements
Additional Security Controls:
- Requires uppercase, lowercase, numbers, and symbols
- Allows users to change their own passwords
- Configurable maximum password age for rotation requirements
Operations and Maintenance
Account-level password policies are persistent and require no ongoing maintenance once configured. The policies automatically apply to all IAM users in each account, providing comprehensive coverage without per-user configuration.
AWS Security Hub provides built-in detective controls to monitor accounts without proper password policy configuration through CIS compliance checks.
Testing and Validation
Validate the password policy deployment by testing policy enforcement:
Check Policy Configuration:
# Verify password policy is applied aws iam get-account-password-policy
Test Password Requirements:
# Create test user and attempt weak password (should fail) aws iam create-user --user-name test-password-user aws iam create-login-profile --user-name test-password-user --password "weak123"
Expected Results:
- Password policy should show configured requirements
- Weak passwords should be rejected with policy violation errors
- Strong passwords meeting requirements should be accepted
Limitations and Alternatives
This approach creates Lambda functions in each account, which may be unnecessary overhead for one-time configuration.
For one-time setup, AWS CLI provides simpler deployment without per-account resources:
aws iam update-account-password-policy \ --minimum-password-length 14 \ --password-reuse-prevention 24 \ --max-password-age 90 \ --require-symbols \ --require-numbers \ --require-uppercase-characters \ --require-lowercase-characters \ --allow-users-to-change-password
CloudFormation StackSets provide ongoing management and automatic application to new accounts, while CLI offers simpler one-time deployment for existing accounts.
Organizational Considerations
Change Management:
- Existing users with weak passwords are not forced to change immediately
- Password requirements apply when users next change their passwords
- Consider communication plan for password policy changes
Compliance Benefits:
- Satisfies multiple CIS controls with single implementation
- Provides audit trail through CloudFormation deployment history
- Enables consistent policy enforcement across organization
This implementation supports security best practices and satisfies CIS AWS Foundations Benchmark v3.0.0 IAM.15 and IAM.16 control requirements.
- Language
- English
Relevant content
- asked a year ago
