Read the current policy with get-account-password-policy. Run update-account-password-policy with at least minimum length 7, password-reuse prevention of 4, and max age 90. For human access, federate through IAM Identity Center so the password regime lives in your IdP.

Compliance Medium severity

AWS Security Hub · IAM

IAM.10: IAM user password policies should be strong (PCI DSS)

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub IAM.10 check?

IAM.10 fails when the account password policy doesn't meet the fixed PCI DSS v3.2.1 thresholds: minimum length 7, prevent reuse of the last 4 passwords, and a maximum age of 90 days, among others. Unlike IAM.7, these values are not configurable by the control.

Why does IAM.10 matter?

PCI DSS environments are bound to specific password parameters, and an auditor checks them literally. A policy that's strong but doesn't match the prescribed v3.2.1 numbers still fails the control and the audit. Meeting the exact thresholds keeps the cardholder-data environment compliant.

How do I fix IAM.10?

Read the current policy with get-account-password-policy.
Run update-account-password-policy with at least minimum length 7, password-reuse prevention of 4, and max age 90.
For human access, federate through IAM Identity Center so the password regime lives in your IdP.

Remediation script · bash

# Find active credentials idle past 45 days and disable them (review before deleting).
CUTOFF=$(date -u -d '45 days ago' +%Y-%m-%d)
aws iam generate-credential-report >/dev/null
aws iam get-credential-report --query Content --output text | base64 -d \
  | awk -F, -v c="$CUTOFF" 'NR>1 && $9=="true" && $11<c {print $1, $10}'
aws iam update-access-key --user-name old-contractor \
  --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Apply the CIS-aligned IAM password policy in one idempotent call.
aws iam update-account-password-policy --minimum-password-length 14 \
  --require-uppercase-characters --require-lowercase-characters \
  --require-numbers --require-symbols --password-reuse-prevention 24

# A clear-text key in a build project is compromised: rotate and delete, never just relocate.
aws iam delete-access-key --user-name ci-deploy --access-key-id AKIAIOSFODNN7EXAMPLE

Full walkthrough (console steps, edge cases and verification) in the lesson Rotate and remove stale IAM credentials.

Is IAM.10 a false positive?

IAM.10 and IAM.7 share the identical Security Hub title but enforce different thresholds — they are not duplicates, and passing one does not pass the other. Note AWS moved IAM.10 off PCI DSS v4.0.1 in May 2025.

Full lesson Rotate and remove stale IAM credentials Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for IAM controls ↗ Check your own account for IAM.10 →

Part of the learning path Lock down access

IAM.1 A policy grants full "*" administrative privileges
IAM.2 Policies attached directly to users do not scale or audit cleanly
IAM.3 Long-lived access keys have not been rotated
IAM.4 The root user still has long-lived access keys
IAM.5 Console users without MFA are one phish from compromise
IAM.6 The root user is not protected by hardware MFA
IAM.7 The IAM password policy is too weak
IAM.8 Unused IAM keys and passwords are waiting to be leaked
IAM.9 The root user can sign in without MFA
IAM.19 MFA should be enabled for all IAM users
IAM.21 Wildcard permissions grant far more access than intended
IAM.22 IAM credentials unused for 45 days should be removed