AWS IAM Password Policy Does Not Have A Number

Checks to ensure that IAM password policy requires a number. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS IAM password policy does not have a number.
JSON Query:
$.resource[*].aws_iam_account_password_policy[*].*[*].require_numbers anyFalse
Recommended solution for making sure password have a number.
It is recommended IAM policy password have a number. Please make sure your template has "require_numbers" attribute is set to true.
For example:
"aws_iam_account_password_policy": [ { "<am_account_password_policy_name>": [ { "require_numbers": true } ] } ]

Run Rule Recommendation

  1. Login to the AWS console and navigate to the 'IAM' service.
  2. On the left navigation panel, Click on 'Account Settings'.
  3. check 'Require at least one number'.
  4. Click on 'Apply password policy'.
Remediation CLI Command:
aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-numbers --require-symbols --allow-users-to-change-password --password-reuse-prevention 24 --max-password-age 90
CLI Command Description:
This CLI command requires 'iam:UpdateAccountPasswordPolicy' permission. Successful execution will update the password policy to set the minimum password length to 14, require lowercase, uppercase, symbol, allow users to reset password, cannot reuse the last 24 passwords and password expiration to 90 days.


There are 8 standards that are applicable to this policy:
  • CIS v1.2.0 (AWS)
  • HITRUST CSF v9.3
  • GDPR
  • NIST 800-171 Rev1
  • SOC 2
  • CSA CCM v3.0.1
  • NIST 800-53 Rev4

Recommended For You