IAM password policy does not require symbol

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM password policy does not require symbol

Metadata

Id: bts2c3d4-e5f6-7890-ab12-cd34ef567890

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Best Practices

Learn More

Provider Reference

Description

This check ensures that the AWS IAM account password policy enforces the use of at least one symbol in user passwords by setting require_symbols = true. If require_symbols is set to false, as shown below it weakens password complexity, making user accounts more susceptible to brute-force or password guessing attacks. Failing to enforce symbol usage increases the risk of unauthorized access to AWS resources.

resource "aws_iam_account_password_policy" "bad_example" {
  minimum_password_length      = 14
  require_symbols              = false
  require_numbers              = true
  require_lowercase_characters = true
  require_uppercase_characters = true
}

Compliant Code Examples

resource "aws_iam_account_password_policy" "good_example" {
  minimum_password_length      = 14
  require_symbols              = true
  require_numbers              = true
  require_lowercase_characters = true
  require_uppercase_characters = true
}

Non-Compliant Code Examples

resource "aws_iam_account_password_policy" "bad_example" {
  minimum_password_length      = 14
  require_symbols              = false
  require_numbers              = true
  require_lowercase_characters = true
  require_uppercase_characters = true
}