set-max-password-age
Default Severity: medium
Explanation
IAM account password policies should have a maximum age specified.
The account password policy should be set to expire passwords after 90 days or less.
Possible Impact
Long life password increase the likelihood of a password eventually being compromised
Suggested Resolution
Limit the password duration with an expiry in the policy
Insecure Example
The following example will fail the aws-iam-set-max-password-age check.
resource "aws_iam_account_password_policy" "bad_example" {
# ...
# max_password_age not set
# ...
}
Secure Example
The following example will pass the aws-iam-set-max-password-age check.
resource "aws_iam_account_password_policy" "good_example" {
max_password_age = 90
}