inspec/docs/resources/aws_iam_password_policy.md

---
title: About the aws_iam_password_policy Resource
---

# aws_iam_password_policy

Use the `aws_iam_password_policy` InSpec audit resource to test properties of the AWS IAM Password Policy.

<br>

## Syntax

An `aws_iam_password_policy` resource block takes no parameters, but uses several matchers.

    describe aws_iam_password_policy do
      its('requires_lowercase_characters?') { should be true }
    end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that the IAM Password Policy requires lowercase characters, uppercase characters, numbers, symbols, and a minimum length greater than eight

    describe aws_iam_password_policy do
      its('requires_lowercase_characters?') { should be true }
      its('requires_uppercase_characters?') { should be true }
      its('requires_numbers?') { should be true }
      its('requires_symbols?') { should be true }
      its('minimum_password_length') { should be > 8 }
    end

### Test that the IAM Password Policy allows users to change their password

    describe aws_iam_password_policy do
      its('allows_user_to_change_password?') { should be true }
    end

### Test that the IAM Password Policy expires passwords

    describe aws_iam_password_policy do
      its('expires_passwords?') { should be true }
    end

### Test that the IAM Password Policy has a max password age

    describe aws_iam_password_policy do
      its('max_password_age') { should be > 90 * 86400 }
    end

### Test that the IAM Password Policy prevents password reuse

    describe aws_iam_password_policy do
      its('prevents_password_reuse?') { should be true }
    end

### Test that the IAM Password Policy requires users to remember 3 previous passwords

    describe aws_iam_password_policy do
      its('number_of_passwords_to_remember') { should eq 3 }
    end

<br>

## Matchers

For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
Documentation for existing resources * Update docs in source to use matcher-style calls, not properties-as-predicates Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Main doc file for aws_iam_user Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add documentation for existing resources This adds documentation for the following resources, including custom matchers: - aws_ec2_instance - aws_iam_access_key - aws_iam_password_policy - aws_iam_root_user - aws_iam_users Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix `aws_iam_users` example (Console + No MFA) (#104) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Correct copypasta Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Remove misleading singular matcher information from the plural docs for aws_iam_users Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct `aws-iam-userss` typo (#105) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add EC2 instance state info Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * test commit Signed-off-by: kgarmoe <kgarmoe@chef.io> * copy edits Signed-off-by: kgarmoe <kgarmoe@chef.io> * Yikes, forgot to save after correcting a merge conflict Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2017-10-27 16:31:36 -04:00			`---`
			`title: About the aws_iam_password_policy Resource`
			`---`

			`# aws_iam_password_policy`

			Use the `aws_iam_password_policy` InSpec audit resource to test properties of the AWS IAM Password Policy.

			`<br>`

			`## Syntax`

			An `aws_iam_password_policy` resource block takes no parameters, but uses several matchers.

			`describe aws_iam_password_policy do`
			`its('requires_lowercase_characters?') { should be true }`
			`end`

			`<br>`

			`## Examples`

			`The following examples show how to use this InSpec audit resource.`

			`### Test that the IAM Password Policy requires lowercase characters, uppercase characters, numbers, symbols, and a minimum length greater than eight`

			`describe aws_iam_password_policy do`
			`its('requires_lowercase_characters?') { should be true }`
			`its('requires_uppercase_characters?') { should be true }`
			`its('requires_numbers?') { should be true }`
			`its('requires_symbols?') { should be true }`
			`its('minimum_password_length') { should be > 8 }`
			`end`

			`### Test that the IAM Password Policy allows users to change their password`

			`describe aws_iam_password_policy do`
			`its('allows_user_to_change_password?') { should be true }`
			`end`

			`### Test that the IAM Password Policy expires passwords`

			`describe aws_iam_password_policy do`
			`its('expires_passwords?') { should be true }`
			`end`

			`### Test that the IAM Password Policy has a max password age`

			`describe aws_iam_password_policy do`
			`its('max_password_age') { should be > 90 * 86400 }`
			`end`

			`### Test that the IAM Password Policy prevents password reuse`

			`describe aws_iam_password_policy do`
			`its('prevents_password_reuse?') { should be true }`
			`end`

			`### Test that the IAM Password Policy requires users to remember 3 previous passwords`

			`describe aws_iam_password_policy do`
			`its('number_of_passwords_to_remember') { should eq 3 }`
			`end`

			`<br>`

			`## Matchers`

			For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).