AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
This policy validates that the account password policy enforces a maximum password age of 90 days or less.
Enforcing a max password age means that passwords will be regularly rotated. This is considered best security practice as it reduces the time possible for attackers to compromise passwords, and to make use of compromised credentials.
To remediate this, set the account password policy's max password age to 90 days or less.
2. Alternatively, to just enforce the max password age, use the following command. Note: since this command does not allow for partial updates, this command will remove any password complexity and reuse requirements:
aws iam update-account-password-policy --max-password-age 90
CIS AWS Benchmark 1.11 "Ensure IAM password policy expires passwords within 90 days or less".