AWS - IAM

IAM Policies Federation STS and MFA

MFA and Password Policies

Enhancing your AWS account’s security posture involves two critical measures:

  1. Enabling Multi-Factor Authentication (MFA) for IAM users
  2. Defining and enforcing a robust password policy

This guide explains why MFA and strong password rules matter, outlines the key policy settings, and provides step-by-step instructions to configure both in the AWS Management Console.


Why Enforce Multi-Factor Authentication?

Multi-Factor Authentication adds an additional proof of identity beyond a username and password. After entering their credentials, users must supply a one-time code from a hardware token or a virtual MFA app like Google Authenticator. This secondary factor dramatically reduces the risk of unauthorized access, even if passwords are compromised.

Note

Virtual MFA apps (e.g., Authy, Google Authenticator) are free and easy to deploy across multiple devices.


Understanding IAM Password Policies

By default, AWS IAM does not enforce any password policy. Creating a custom policy allows you to align password complexity, expiration, and reuse rules with your organization’s governance standards.

The image outlines AWS password policies, highlighting account-level policies, default IAM policies, and the ability to configure custom policies based on governance requirements.

Key Password Policy Settings

Policy SettingDescriptionExample
Minimum password lengthEnforces a lower bound on characters12
Maximum password length(Optional) Caps password size to reduce system load128
Require uppercase charactersEnsures at least one A–ZEnabled
Require lowercase charactersEnsures at least one a–zEnabled
Require numbersEnsures at least one digit 0–9Enabled
Require non-alphanumeric charactersEnsures at least one symbol (e.g., !@#$%^&*)Enabled
Password expirationForces periodic password updates (in days)90
Prevent password reuseBlocks reuse of the last N passwordsLast 5

Warning

Enabling password expiration without a notification process can lead to unexpected lockouts. Communicate expiration policies clearly to your team.


Step-by-Step: Enable MFA and Configure a Password Policy

Follow these steps in the AWS Management Console:

1. Sign In to the AWS Management Console

  • Navigate to https://console.aws.amazon.com/ and open the IAM service.

2. Enable MFA for an IAM User

  1. In the left sidebar, choose Users.
  2. Select the target user name.
  3. Open the Security credentials tab.
  4. Under Assigned MFA device, click Manage.
  5. Follow the prompts to activate a hardware or virtual MFA device.

3. Define Your Account Password Policy

  1. From the IAM dashboard, click Account settings.
  2. Under Password policy, select Manage.
  3. Configure the policy using your organization’s minimums for length, complexity, expiration, and reuse.
  4. Click Save changes to apply.

References and Further Reading

Watch Video

Watch video content

Previous
Demo Policy with Conditions