Link Search Menu Expand Document

IAM Password policy should have expiry less than or equal to 90 days.

Explanation

IAM account password policies should have a maximum age specified.

The account password policy should be set to expire passwords after 90 days or less.

Insecure Example

The following example will fail the AWS038 check.

resource "aws_iam_account_password_policy" "strict" {
	# ...
	# max_password_age not set
	# ...
}

Secure Example

The following example will pass the AWS038 check.

resource "aws_iam_account_password_policy" "strict" {
	# ...
	max_password_age = 90
	# ...
}