TF 0228 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
IAM Password policy should have requirement for at least one lowercase character.
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | AWS |
| Vulnerability Type | omission |
Description
The IAM password policy does not enforce the use of at least one lowercase character in user passwords, allowing weak and easily guessable passwords to be set. This reduces the overall strength of account credentials.
Impact
Without a requirement for lowercase characters, passwords are simpler and more vulnerable to brute-force or dictionary attacks, increasing the risk of unauthorized access to AWS resources and potential compromise of sensitive data.
Resolution
Enforce longer, more complex passwords in the policy