IAM Password Policy
๐ฆ Overviewโ
This Terraform module provisions a custom IAM password policy for your AWS account, enabling enforcement of strict password requirements to align with security best practices.
โ Key Featuresโ
- Enforces password complexity, length, and rotation policies
- Prevents password reuse and supports hard expiration options
- Fully customizable through input variables
- Aligns with CIS, NIST, and ISO standards
๐ผ Use Casesโ
- Enforce minimum password strength requirements
- Meet compliance standards for regulated industries
- Lock down IAM accounts with secure access policies
- Strengthen your baseline IAM security posture
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region for deployment |
| minimum_password_length | number | Minimum required password length |
| require_lowercase_characters | bool | Whether to require lowercase characters |
| require_numbers | bool | Whether to require numeric digits |
| require_symbols | bool | Whether to require symbols |
| require_uppercase_characters | bool | Whether to require uppercase characters |
| allow_users_to_change | bool | Whether users are allowed to change their own password |
| password_reuse_prevention | number | Number of previous passwords disallowed for reuse |
| max_password_age | number | Maximum number of days a password is valid before expiration |
| environment | string | Environment tag for visibility (e.g., dev, staging, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| password_policy_id | A generated identifier for tracking the policy |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x+
- ๐ IAM permissions required:
iam:UpdateAccountPasswordPolicy,iam:DeleteAccountPasswordPolicy,iam:GetAccountPasswordPolicy
๐ ๏ธ Example Usageโ
module "iam_password_policy_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//identity/iam-password-policy?ref=v1.0.0"
region = "us-east-1"
minimum_password_length = 14
require_lowercase_characters = true
require_numbers = true
require_symbols = true
require_uppercase_characters = true
allow_users_to_change = true
password_reuse_prevention = 5
max_password_age = 90
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanupโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion (for Production):
aws iam delete-account-password-policy
๐ก๏ธ Notesโ
This is a Level 1 identity hardening module.
To fully secure your IAM environment, pair this module with IAM groups, users, and policy modules across your identity infrastructure.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier.
To access the full deployment package and source code, subscribe to Archiphire.