Table: aws_iam_password_policies

This table shows data for IAM Password Policies.

https://docs.aws.amazon.com/IAM/latest/APIReference/API_PasswordPolicy.html (opens in a new tab)

The primary key for this table is account_id.

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
account_id (PK)utf8
allow_users_to_change_passwordbool
expire_passwordsbool
hard_expirybool
max_password_ageint64
minimum_password_lengthint64
password_reuse_preventionint64
require_lowercase_charactersbool
require_numbersbool
require_symbolsbool
require_uppercase_charactersbool
policy_existsbool

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Ensure IAM password policy expires passwords within 90 days or less

SELECT
  'Ensure IAM password policy expires passwords within 90 days or less'
    AS title,
  account_id,
  account_id,
  CASE
  WHEN (max_password_age IS NULL OR max_password_age > 90)
  OR policy_exists = false
  THEN 'fail'
  ELSE 'pass'
  END
FROM
  aws_iam_password_policies;

Ensure IAM password policy requires minimum length of 14 or greater

SELECT
  'Ensure IAM password policy requires minimum length of 14 or greater'
    AS title,
  account_id,
  account_id,
  CASE
  WHEN minimum_password_length < 14 OR policy_exists = false THEN 'fail'
  ELSE 'pass'
  END
FROM
  aws_iam_password_policies;

Ensure IAM password policy requires at least one lowercase letter

SELECT
  'Ensure IAM password policy requires at least one lowercase letter' AS title,
  account_id,
  account_id,
  CASE
  WHEN require_lowercase_characters = false OR policy_exists = false THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_iam_password_policies;

Ensure IAM password policy requires at least one number

SELECT
  'Ensure IAM password policy requires at least one number' AS title,
  account_id,
  account_id,
  CASE
  WHEN require_numbers = false OR policy_exists = false THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_iam_password_policies;

Ensure IAM password policy requires at least one symbol

SELECT
  'Ensure IAM password policy requires at least one symbol' AS title,
  account_id,
  account_id,
  CASE
  WHEN require_symbols = false OR policy_exists = false THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_iam_password_policies;

Ensure IAM password policy requires at least one uppercase letter

SELECT
  'Ensure IAM password policy requires at least one uppercase letter' AS title,
  account_id,
  account_id,
  CASE
  WHEN require_uppercase_characters IS NOT true OR policy_exists IS NOT true
  THEN 'fail'
  ELSE 'pass'
  END
FROM
  aws_iam_password_policies;

Ensure IAM password policy prevents password reuse

SELECT
  'Ensure IAM password policy prevents password reuse' AS title,
  account_id,
  account_id,
  CASE
  WHEN password_reuse_prevention IS DISTINCT FROM 24 THEN 'fail'
  ELSE 'pass'
  END
FROM
  aws_iam_password_policies;

Password policies for IAM users should have strong configurations

SELECT
  'Password policies for IAM users should have strong configurations' AS title,
  account_id,
  account_id AS resource_id,
  CASE
  WHEN (
    require_uppercase_characters IS NOT true
    OR require_lowercase_characters IS NOT true
    OR require_numbers IS NOT true
    OR minimum_password_length < 14
    OR password_reuse_prevention IS NULL
    OR max_password_age IS NULL
    OR policy_exists IS NOT true
  )
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_iam_password_policies;