For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-password-without-minimum-length.md. A documentation index is available at /llms.txt.

IAM password without minimum length

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-iam-password-without-minimum-length

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Description

IAM user console passwords defined in AWS CloudFormation should be strong to reduce the risk of account compromise through brute force, credential stuffing, or simple credential reuse. For AWS::IAM::User resources, Properties.LoginProfile.Password must be a string with a minimum length of 14 characters. Passwords shorter than 14 characters will be flagged unless they reference a secret via an AWS Secrets Manager dynamic reference. Avoid embedding plaintext passwords in templates. Instead, reference secrets stored in AWS Secrets Manager or SSM Parameter Store, or rely on IAM-managed workflows and password policies.

Secure example with a sufficiently long password (or a secret reference) in CloudFormation:

MyUser:
  Type: AWS::IAM::User
  Properties:
    UserName: example-user
    LoginProfile:
      Password: "S3cureP@ssw0rd2025"

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  myuser:
    Type: AWS::IAM::User
    Properties:
      Path: "/"
      LoginProfile:
        Password: myP@ssW0rd123asw
      Policies:
      - PolicyName: giveaccesstoqueueonly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sqs:*
            Resource:
            - !GetAtt myqueue.Arn
          - Effect: Deny
            Action:
            - sqs:*
            NotResource:
            - !GetAtt myqueue.Arn
      - PolicyName: giveaccesstotopiconly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sns:*
            Resource:
            - !Ref mytopic
          - Effect: Deny
            Action:
            - sns:*
            NotResource:
            - !Ref mytopic

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd123asw"
        },
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Resource": [
                    "myqueue.Arn"
                  ],
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ],
                  "NotResource": [
                    "myqueue.Arn"
                  ]
                }
              ]
            }
          },
          {
            "PolicyName": "giveaccesstotopiconly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sns:*"
                  ],
                  "Resource": [
                    "mytopic"
                  ]
                },
                {
                  "Action": [
                    "sns:*"
                  ],
                  "NotResource": [
                    "mytopic"
                  ],
                  "Effect": "Deny"
                }
              ]
            }
          }
        ]
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  myuser:
    Type: AWS::IAM::User
    Properties:
      Path: "/"
      LoginProfile:
        Password: myP@ssW0rd
      Policies:
      - PolicyName: giveaccesstoqueueonly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sqs:*
            Resource:
            - !GetAtt myqueue.Arn
          - Effect: Deny
            Action:
            - sqs:*
            NotResource:
            - !GetAtt myqueue.Arn
      - PolicyName: giveaccesstotopiconly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sns:*
            Resource:
            - !Ref mytopic
          - Effect: Deny
            Action:
            - sns:*
            NotResource:
            - !Ref mytopic

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        },
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ],
                  "Resource": [
                    "myqueue.Arn"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ],
                  "NotResource": [
                    "myqueue.Arn"
                  ]
                }
              ]
            }
          },
          {
            "PolicyName": "giveaccesstotopiconly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sns:*"
                  ],
                  "Resource": [
                    "mytopic"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sns:*"
                  ],
                  "NotResource": [
                    "mytopic"
                  ]
                }
              ]
            }
          }
        ]
      }
    }
  }
}