Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I configure the password policy for my Amazon RDS for SQL Server instance?

2 minute read

I want to configure a password policy for my Amazon Relational Database Service (Amazon RDS) for Microsoft SQL Server instance.

Short description

Password policy, lockout, and expiration intervals are configured at the host level (OS, Microsoft Windows layer). Because Amazon RDS is a managed service, access to the operating system is restricted. To configure the password policy, use DB parameters. For more information, see Using password policy for SQL Server logins on Amazon RDS for SQL Server.

When you use SQL Server Management Studio (SSMS) or T-SQL to create or modify a login, the password policy is turned on by default.

Resolution

Logins that use SQL Server Authentication

If your login uses SQL Server Authentication, then modify the SQL Server password policy to set custom requirements for complexity, length, expiration, and lockout. Configure the following password policy DB parameters in your custom DB parameter group:

rds.password_complexity_enabled
rds.password_min_length
rds.password_min_age
rds.password_max_age
rds.password_lockout_threshold
rds.password_lockout_duration
rds.password_lockout_reset_counter_after

For more information, see Password policy parameters.

To identify the SQL Server logins that are configured with the password policy and the password expiration on the instance, run the following query:

select name, type_desc, create_date, modify_date, is_policy_checked,
       is_expiration_checked,  isnull(loginproperty(name,'DaysUntilExpiration'),'-') Days_to_Expire,  is_disabled

from sys.sql_logins

The following are the available options for password policy enforcement and password expiration for SQL Server logins:

The policy_checked column is 0: The SQL Server login doesn't do password policy enforcement.
The policy_checked column is 1 and is_expiration_checked is 0: The SQL Server login enforces password complexity and lockout, but not password expiration.
The policy_checked column and is_expiration_checked are both 1: The SQL Server login enforces password complexity, lockout, and password expiration.

Logins that use Windows Authentication

Configure the password policy for your Windows logins in your Microsoft Active Directory. For information, see Working with Active Directory with Amazon RDS for SQL Server.

Topics

Database Migration & Modernization Analytics

Relevant content

Change Password Policies using Custom RDS SQL Server
Luis
asked 2 years ago
How to sync the password of existing logins between Primary and Read Replica instance for RDS for SQL Server
Jitendra
asked a year ago
Can you give me python dash code to how to connect to the aws rds for sql server?
Shraddha
asked 2 years ago
Problem exporting RDS SQL Server database to S3
Accepted Answer
tcuroso
asked 2 months ago
Trigger on RDS SQL server instance
Sanjay
asked a year ago
How do I move SQL Server users from one RDS for SQL Server instance to another or to an on-premises environment from RDS?
AWS OFFICIALUpdated 2 years ago
How do I create a password policy in Amazon RDS for PostgreSQL?
AWS OFFICIALUpdated 9 months ago
How do I create a linked server in RDS for SQL Server with the source as RDS?
AWS OFFICIALUpdated 2 years ago
How do I use Amazon SES to send email when my Amazon RDS for Microsoft SQL Server instance is in either a public or private subnet?
AWS OFFICIALUpdated 9 months ago
Announcement: Amazon RDS for SQL Server is ending support for Microsoft SQL Server 2014
EXPERT
appadman
published 2 years ago