Skip to content

Instantly share code, notes, and snippets.

@statik

statik/passwordpolicy-generated.yaml

Last active June 24, 2025 14:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save statik/344b09e294e0e41a82bd36d26396e765 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save statik/344b09e294e0e41a82bd36d26396e765 to your computer and use it in GitHub Desktop.
Download ZIP
CDK managed AWS Account Password Policy
Raw
passwordpolicy-generated.yaml
Resources:
AccountPasswordPolicyC318930E:
Type: Custom::AWS
Properties:
ServiceToken:
Fn::GetAtt:
- AWS679f53fac002430cb0da5b7982bd22872D164C4C
- Arn
Create:
service: IAM
action: updateAccountPasswordPolicy
parameters:
AllowUsersToChangePassword: TRUE:BOOLEAN
HardExpiry: FALSE:BOOLEAN
MaxPasswordAge: 90
MinimumPasswordLength: 18
PasswordReusePrevention: 24
RequireLowercaseCharacters: TRUE:BOOLEAN
RequireNumbers: TRUE:BOOLEAN
RequireSymbols: TRUE:BOOLEAN
RequireUppercaseCharacters: TRUE:BOOLEAN
physicalResourceId:
id: AccountPasswordPolicy
Update:
service: IAM
action: updateAccountPasswordPolicy
parameters:
AllowUsersToChangePassword: TRUE:BOOLEAN
HardExpiry: FALSE:BOOLEAN
MaxPasswordAge: 90
MinimumPasswordLength: 18
PasswordReusePrevention: 24
RequireLowercaseCharacters: TRUE:BOOLEAN
RequireNumbers: TRUE:BOOLEAN
RequireSymbols: TRUE:BOOLEAN
RequireUppercaseCharacters: TRUE:BOOLEAN
physicalResourceId:
id: AccountPasswordPolicy
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: PasswordPolicy/AccountPasswordPolicy/Resource/Default
AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Metadata:
aws:cdk:path: PasswordPolicy/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource
AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: iam:UpdateAccountPasswordPolicy
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E
Roles:
- Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
Metadata:
aws:cdk:path: PasswordPolicy/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/DefaultPolicy/Resource
AWS679f53fac002430cb0da5b7982bd22872D164C4C:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Ref: AssetParametersf883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50ccS3BucketA67797D4
S3Key:
Fn::Join:
- ""
- - Fn::Select:
- 0
- Fn::Split:
- "||"
- Ref: AssetParametersf883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50ccS3VersionKeyD2C3FB42
- Fn::Select:
- 1
- Fn::Split:
- "||"
- Ref: AssetParametersf883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50ccS3VersionKeyD2C3FB42
Handler: index.handler
Role:
Fn::GetAtt:
- AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
- Arn
Runtime: nodejs12.x
Timeout: 120
DependsOn:
- AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E
- AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
Metadata:
aws:cdk:path: PasswordPolicy/AWS679f53fac002430cb0da5b7982bd2287/Resource
aws:asset:path: asset.f883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50cc
aws:asset:property: Code
AWS679f53fac002430cb0da5b7982bd2287LogRetentionCE72797A:
Type: Custom::LogRetention
Properties:
ServiceToken:
Fn::GetAtt:
- LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A
- Arn
LogGroupName:
Fn::Join:
- ""
- - /aws/lambda/
- Ref: AWS679f53fac002430cb0da5b7982bd22872D164C4C
RetentionInDays: 7
Metadata:
aws:cdk:path: PasswordPolicy/AWS679f53fac002430cb0da5b7982bd2287/LogRetention/Resource
LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Metadata:
aws:cdk:path: PasswordPolicy/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/Resource
LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:PutRetentionPolicy
- logs:DeleteRetentionPolicy
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB
Roles:
- Ref: LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB
Metadata:
aws:cdk:path: PasswordPolicy/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy/Resource
LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Ref: AssetParameters8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722S3Bucket31E35585
S3Key:
Fn::Join:
- ""
- - Fn::Select:
- 0
- Fn::Split:
- "||"
- Ref: AssetParameters8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722S3VersionKeyCB986FAC
- Fn::Select:
- 1
- Fn::Split:
- "||"
- Ref: AssetParameters8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722S3VersionKeyCB986FAC
Handler: index.handler
Role:
Fn::GetAtt:
- LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB
- Arn
Runtime: nodejs10.x
DependsOn:
- LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB
- LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB
Metadata:
aws:cdk:path: PasswordPolicy/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Resource
aws:asset:path: asset.8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722
aws:asset:property: Code
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Modules: aws-cdk=1.47.0,@aws-cdk/assets=1.47.0,@aws-cdk/aws-applicationautoscaling=1.47.0,@aws-cdk/aws-autoscaling=1.47.0,@aws-cdk/aws-autoscaling-common=1.47.0,@aws-cdk/aws-autoscaling-hooktargets=1.47.0,@aws-cdk/aws-cloudformation=1.47.0,@aws-cdk/aws-cloudtrail=1.47.0,@aws-cdk/aws-cloudwatch=1.47.0,@aws-cdk/aws-codebuild=1.47.0,@aws-cdk/aws-codepipeline=1.47.0,@aws-cdk/aws-codepipeline-actions=1.47.0,@aws-cdk/aws-ec2=1.47.0,@aws-cdk/aws-ecr=1.47.0,@aws-cdk/aws-ecr-assets=1.47.0,@aws-cdk/aws-ecs=1.47.0,@aws-cdk/aws-elasticloadbalancingv2=1.47.0,@aws-cdk/aws-events=1.47.0,@aws-cdk/aws-events-targets=1.47.0,@aws-cdk/aws-iam=1.47.0,@aws-cdk/aws-kms=1.47.0,@aws-cdk/aws-lambda=1.47.0,@aws-cdk/aws-logs=1.47.0,@aws-cdk/aws-s3=1.47.0,@aws-cdk/aws-s3-assets=1.47.0,@aws-cdk/aws-servicediscovery=1.47.0,@aws-cdk/aws-sns=1.47.0,@aws-cdk/aws-sns-subscriptions=1.47.0,@aws-cdk/aws-sqs=1.47.0,@aws-cdk/aws-ssm=1.47.0,@aws-cdk/cloud-assembly-schema=1.47.0,@aws-cdk/core=1.47.0,@aws-cdk/custom-resources=1.47.0,@aws-cdk/cx-api=1.47.0,@aws-cdk/region-info=1.47.0,jsii-runtime=node.js/v14.5.0
Parameters:
AssetParametersf883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50ccS3BucketA67797D4:
Type: String
Description: S3 bucket for asset "f883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50cc"
AssetParametersf883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50ccS3VersionKeyD2C3FB42:
Type: String
Description: S3 key for asset version "f883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50cc"
AssetParametersf883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50ccArtifactHashA58B31E8:
Type: String
Description: Artifact hash for asset "f883e12689f8357ff04376b1abab555e2b18f9992e78242d504a2c4d74bb50cc"
AssetParameters8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722S3Bucket31E35585:
Type: String
Description: S3 bucket for asset "8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722"
AssetParameters8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722S3VersionKeyCB986FAC:
Type: String
Description: S3 key for asset version "8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722"
AssetParameters8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722ArtifactHash3DDB380B:
Type: String
Description: Artifact hash for asset "8bef7b1944e840489ef981ee3a30a860d3908d87e672b2e241724f7967272722"
Raw
passwordpolicy.ts
const passwordPolicy = new AwsCustomResource(this, 'AccountPasswordPolicy', {
onUpdate: {
// will also be called for a CREATE event
service: 'IAM',
action: 'updateAccountPasswordPolicy',
parameters: {
AllowUsersToChangePassword: true,
HardExpiry: false,
MaxPasswordAge: 90,
MinimumPasswordLength: 18,
PasswordReusePrevention: 24,
RequireLowercaseCharacters: true,
RequireNumbers: true,
RequireSymbols: true,
RequireUppercaseCharacters: true,
},
physicalResourceId: PhysicalResourceId.of('AccountPasswordPolicy'),
},
policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),
logRetention: logs.RetentionDays.ONE_WEEK,
});
@HannesOberreiter
Copy link

HannesOberreiter commented Jun 24, 2025
edited
Loading

Thanks for this! If anyone wants to disable MaxPasswordAge it is not 0 simply don't add the parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment