2017-10-27 20:31:36 +00:00
---
title: About the aws_iam_password_policy Resource
2018-02-13 19:30:07 +00:00
platform: aws
2017-10-27 20:31:36 +00:00
---
2018-02-15 02:23:29 +00:00
# aws\_iam\_password\_policy
2017-10-27 20:31:36 +00:00
Use the `aws_iam_password_policy` InSpec audit resource to test properties of the AWS IAM Password Policy.
<br>
## Syntax
2018-02-20 03:09:51 +00:00
An `aws_iam_password_policy` resource block takes no parameters. Several properties and matchers are available.
2017-10-27 20:31:36 +00:00
describe aws_iam_password_policy do
2018-02-14 20:59:57 +00:00
it { should require_lowercase_characters }
2017-10-27 20:31:36 +00:00
end
<br>
2018-02-14 01:42:39 +00:00
## Properties
2018-02-13 19:30:07 +00:00
2018-02-20 03:09:51 +00:00
* `max_password_age_in_days`, `minimum_password_length`, `number_of_passwords_to_remember`
2018-02-13 19:30:07 +00:00
2017-10-27 20:31:36 +00:00
## Examples
The following examples show how to use this InSpec audit resource.
### Test that the IAM Password Policy requires lowercase characters, uppercase characters, numbers, symbols, and a minimum length greater than eight
describe aws_iam_password_policy do
2018-02-14 20:59:57 +00:00
it { should require_lowercase_characters }
it { should require_uppercase_characters }
it { should require_symbols }
it { should require_numbers }
2017-10-27 20:31:36 +00:00
its('minimum_password_length') { should be > 8 }
end
### Test that the IAM Password Policy allows users to change their password
describe aws_iam_password_policy do
2018-02-14 20:59:57 +00:00
it { should allow_users_to_change_passwords }
2017-10-27 20:31:36 +00:00
end
### Test that the IAM Password Policy expires passwords
describe aws_iam_password_policy do
2018-02-14 20:59:57 +00:00
it { should expire_passwords }
2017-10-27 20:31:36 +00:00
end
### Test that the IAM Password Policy has a max password age
describe aws_iam_password_policy do
2018-02-14 20:59:57 +00:00
its('max_password_age_in_days') { should be 90 }
2017-10-27 20:31:36 +00:00
end
### Test that the IAM Password Policy prevents password reuse
describe aws_iam_password_policy do
2018-02-14 20:59:57 +00:00
it { should prevent_password_reuse }
2017-10-27 20:31:36 +00:00
end
### Test that the IAM Password Policy requires users to remember 3 previous passwords
describe aws_iam_password_policy do
its('number_of_passwords_to_remember') { should eq 3 }
end
<br>
## Matchers
2018-05-10 18:57:53 +00:00
This resource uses the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2018-02-15 02:23:29 +00:00
2018-02-14 20:59:57 +00:00
* `allows_users_to_change_passwords`, `expire_passwords`, `prevent_password_reuse`, `require_lowercase_characters` , `require_uppercase_characters`, `require_numbers`, `require_symbols`
2018-05-10 18:57:53 +00:00
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetAccountPasswordPolicy` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).