AWS
IAMPasswordPolicyViolation - IAM Password Policy Violation
Getting an **IAMPasswordPolicyViolation** error means the password you're trying to set doesn't meet your AWS account's password policy requirements—the password might be too short, missing required character types, or violate complexity or history rules. This client-side error (4xx) happens when AWS validates passwords against the account password policy. Most common when passwords are too short, but also appears when required characters are missing, complexity requirements aren't met, passwords are in history (reuse prevention), or password policy rules are violated.
#Common Causes
- →Identity: IAM password policy enforcement. Service Control Policy (SCP) enforces password rules.
- →Network: VPC endpoint IAM password restrictions. Password policy violation.
- →Limits: Password too short (below minimum length). Password missing required characters (uppercase, lowercase, numbers, symbols). Password does not meet complexity requirements. Password in history (reuse prevention). Password policy violation.
✓Solutions
- 1Step 1: Diagnose - Check account password policy: aws iam get-account-password-policy. Review minimum length, character requirements, complexity rules, and history restrictions.
- 2Step 2: Diagnose - Validate password against policy: Check minimum length. Verify uppercase, lowercase, numbers, and symbols if required. Check password history.
- 3Step 3: Diagnose - Review password policy requirements: Minimum length (default: 6-128 characters). Require uppercase characters. Require lowercase characters. Require numbers. Require symbols. Password reuse prevention (history).
- 4Step 4: Fix - Ensure password meets all requirements: Use password generator. Include required character types. Meet minimum length. Avoid password history.
- 5Step 5: Fix - Update password: Create new password meeting all policy requirements. Use AWS Console or CLI: aws iam update-login-profile --user-name USER_NAME --password PASSWORD --password-reset-required.
</>Code Examples
Check Account Password Policy Requirements
1#!/bin/bash
2echo "=== Account Password Policy ==="
3POLICY=$(aws iam get-account-password-policy 2>&1)
4
5if [ $? -eq 0 ]; then
6 MIN_LENGTH=$(echo ${POLICY} | jq -r '.PasswordPolicy.MinimumPasswordLength')
7 REQUIRE_UPPERCASE=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireUppercaseCharacters')
8 REQUIRE_LOWERCASE=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireLowercaseCharacters')
9 REQUIRE_NUMBERS=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireNumbers')
10 REQUIRE_SYMBOLS=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireSymbols')
11
12 echo "Password requirements:"
13 echo " Minimum length: ${MIN_LENGTH}"
14 echo " Require uppercase: ${REQUIRE_UPPERCASE}"
15 echo " Require lowercase: ${REQUIRE_LOWERCASE}"
16 echo " Require numbers: ${REQUIRE_NUMBERS}"
17 echo " Require symbols: ${REQUIRE_SYMBOLS}"
18else
19 echo "No password policy configured"
20 echo "Default requirements apply"
21fiValidate Password Against Policy
1#!/bin/bash
2PASSWORD="MyP@ssw0rd123"
3
4echo "=== Validating Password ==="
5
6# Get policy requirements
7POLICY=$(aws iam get-account-password-policy 2>/dev/null)
8
9if [ $? -eq 0 ]; then
10 MIN_LENGTH=$(echo ${POLICY} | jq -r '.PasswordPolicy.MinimumPasswordLength')
11 REQUIRE_UPPERCASE=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireUppercaseCharacters')
12 REQUIRE_LOWERCASE=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireLowercaseCharacters')
13 REQUIRE_NUMBERS=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireNumbers')
14 REQUIRE_SYMBOLS=$(echo ${POLICY} | jq -r '.PasswordPolicy.RequireSymbols')
15
16 ERRORS=()
17
18 # Check minimum length
19 if [ ${#PASSWORD} -lt ${MIN_LENGTH} ]; then
20 ERRORS+=("Password too short (minimum ${MIN_LENGTH} characters)")
21 fi
22
23 # Check uppercase
24 if [ "${REQUIRE_UPPERCASE}" = "true" ] && [[ ! ${PASSWORD} =~ [A-Z] ]]; then
25 ERRORS+=("Missing uppercase character")
26 fi
27
28 # Check lowercase
29 if [ "${REQUIRE_LOWERCASE}" = "true" ] && [[ ! ${PASSWORD} =~ [a-z] ]]; then
30 ERRORS+=("Missing lowercase character")
31 fi
32
33 # Check numbers
34 if [ "${REQUIRE_NUMBERS}" = "true" ] && [[ ! ${PASSWORD} =~ [0-9] ]]; then
35 ERRORS+=("Missing number")
36 fi
37
38 # Check symbols
39 if [ "${REQUIRE_SYMBOLS}" = "true" ] && [[ ! ${PASSWORD} =~ [^a-zA-Z0-9] ]]; then
40 ERRORS+=("Missing symbol")
41 fi
42
43 if [ ${#ERRORS[@]} -eq 0 ]; then
44 echo "✓ Password meets policy requirements"
45 else
46 echo "✗ Password violations (IAMPasswordPolicyViolation):"
47 printf ' %s\n' "${ERRORS[@]}"
48 fi
49else
50 echo "No password policy configured"
51fiUpdate User Password with Valid Password
1#!/bin/bash
2USER_NAME="my-user"
3NEW_PASSWORD="MyNewP@ssw0rd123"
4
5echo "=== Updating User Password ==="
6echo "User: ${USER_NAME}"
7
8# Validate password first (use previous validation)
9echo "Validating password against policy..."
10# ... (password validation logic here)
11
12# Update password
13echo "\n=== Updating Password ==="
14aws iam update-login-profile \
15 --user-name ${USER_NAME} \
16 --password ${NEW_PASSWORD} \
17 --password-reset-required \
18 --output json
19
20if [ $? -eq 0 ]; then
21 echo "\n✓ Password updated successfully"
22 echo "User will be required to reset password on next login"
23else
24 echo "\n✗ Failed to update password"
25 echo "Check for IAMPasswordPolicyViolation"
26fi↗Related Errors
Provider Information
This error code is specific to AWS services. For more information, refer to the official AWS documentation.