Password Policy length requirement
Description
IAM password policy requires minimum 14-char length + complexity.
⚠️ Risk Impact
Short passwords are trivially brute-forced. 14-char minimum aligns with NIST + modern guidance.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
aws iam update-account-password-policy --minimum-password-length 14 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters.
💀 Real-World Attack Scenario
Password policy at 8-char minimum was brute-forced for an IAM user with admin access. Cost: $400K compute fraud + customer-data exposure.
💰 Cost of Non-Compliance
Brute-forceable IAM passwords: avg $400K-$2M per incident.
📋 Audit Questions
- 1.Password policy minimum length?
- 2.Complexity requirements?
- 3.Reuse prevention?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Default 8-char minimum never updated
- ⛔Complexity bypass (predictable substitutions)
- ⛔No reuse prevention
📈 Business Value
Strong password policy is baseline IAM hygiene.
⏱️ Effort Estimate
5 minutes per account
EchelonGraph audits password policy per account
🔗 Cross-Framework References
Automate CIS AWS 1.8 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →