AWS IAM Password Policy Does Not Have A Lowercase Character

Checks to ensure that IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS IAM password policy does not have a lowercase character.
JSON Query:
$.resource[*].aws_iam_account_password_policy[*].*[*].require_lowercase_characters anyFalse
Recommended solution for making sure password have a lowercase character.
It is recommended IAM policy password have a lowercase character. Please make sure your template has "require_lowercase_characters" attribute is set to true.
For example:
"aws_iam_account_password_policy": [ { "<am_account_password_policy_name>": [ { "require_lowercase_characters": true } ] } ]

Run Rule Recommendation

  1. Login to the AWS console and navigate to the 'IAM' service.
  2. On the left navigation panel, Click on 'Account Settings'.
  3. check 'Require at least one lowercase letter'.
  4. Click on 'Apply password policy'.
Remediation CLI Command:
aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-numbers --require-symbols --allow-users-to-change-password --password-reuse-prevention 24 --max-password-age 90
CLI Command Description:
This CLI command requires 'iam:UpdateAccountPasswordPolicy' permission. Successful execution will update the password policy to set the minimum password length to 14, require lowercase, uppercase, symbol, allow users to reset password, cannot reuse the last 24 passwords and password expiration to 90 days.


There are 8 standards that are applicable to this policy:
  • CIS v1.2.0 (AWS)
  • HITRUST CSF v9.3
  • GDPR
  • NIST 800-171 Rev1
  • SOC 2
  • CSA CCM v3.0.1
  • NIST 800-53 Rev4

Recommended For You