Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The IAM Password Policy solution updates the AWS account password policy within all accounts in an AWS Organization.
- All resources are deployed via AWS CloudFormation as a
StackSet
andStack Instance
within the management account or a CloudFormationStack
within a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet
. - For parameter details, review the AWS CloudFormation templates.
- The Lambda function includes logic to set the account password policy
- All the
AWS Lambda Function
logs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>
to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Function
will create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key.
- IAM role used by the Lambda function to update the account password policy
- AWS account password policy for IAM users
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region)
, launch the sra-iam-password-policy-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml --stack-name sra-iam-password-policy-main-ssm --capabilities CAPABILITY_NAMED_IAM
- Log into any account within the AWS Organization
- Navigate to the IAM -> Account settings page
- Verify the password policy settings
- In the
management account (home region)
, delete the AWS CloudFormation Stack (sra-iam-password-policy-main-ssm
orsra-iam-password-policy-main
) created above. - In each AWS account, delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.