TF 0166 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
IAM Password policy should have requirement for at least one symbol in the password.
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | AWS |
| Vulnerability Type | omission |
Description
The IAM password policy is configured without requiring at least one symbol in user passwords, allowing the use of weaker, less complex passwords. This increases the risk of passwords being easily guessed or compromised through brute-force attacks.
Impact
Without symbol requirements, user passwords are more susceptible to common attacks such as brute-force or dictionary attacks. If compromised, attackers could gain unauthorized access to AWS resources, potentially resulting in data breaches or resource misuse.
Resolution
Enforce longer, more complex passwords in the policy