> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS account password policy should be configured

> Checks that an AWS account-level password policy is configured.

Checks that an AWS account-level password policy is configured.

## About

When you connect Amazon Web Services (AWS) to DSALTA, the platform syncs your users, roles, and access settings using read-only API access. DSALTA evaluates this control on every sync. If the requirement is not met, DSALTA activates this check.

## Why This Matters

Weak passwords are easy to brute-force or guess. A strong policy — length, complexity, expiration, and lockout — raises the cost of an attack significantly and is a documented requirement in SOC 2 and ISO 27001.

## How to Fix

**Before you begin**

* Ensure you have **IAM admin** permissions in the AWS account.

**Configure the account password policy**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) and go to **IAM → Account settings**.
2. Under **Password policy**, click **Edit**.
3. Set a minimum length of **14 characters**, and require uppercase, lowercase, numbers, and symbols.
4. Enable password expiration (for example, 90 days) and prevent reuse of the last 24 passwords.
5. Click **Save changes**.

Once the password policy meets the requirements, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the Amazon Web Services (AWS) integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="What happens if it keeps failing?">
    A failing check appears in your **Data Library → Tests** dashboard. Work through the steps above; once the underlying configuration is fixed, the status updates automatically on the next sync.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my Amazon Web Services (AWS) configuration?">
    No. DSALTA uses **read-only API access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Amazon Web Services (AWS).
  </Accordion>
</AccordionGroup>