Weak credential policy - Password Expiration
Need
Enforcement of strong password expiration policy
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_iam_user" "user" {
name = "my_user"
}
resource "aws_iam_user_login_profile" "user_profile" {
user = aws_iam_user.user.name
password_reset_required = true
password_length = 14
}
In the code above, we are defining an AWS IAM user named "my_user" using Terraform. We also define a login profile for this user with the aws_iam_user_login_profile
resource.
The password_reset_required
attribute is set to true
, which means that the user is forced to change their password the next time they sign in.
The password_length
attribute is set to 14
, which defines the minimum length of the password.
However, the code does not enforce password expiration. This means that the password for the user will not automatically expire after a certain period of time, which is a potential security vulnerability.
Good security practices suggest that credentials should be renewed in 90-day periods. Without a password expiration policy, an attacker who has gained access to a user's credentials could continue to have access indefinitely, as long as the password remains unchanged.
Steps
- Enable password expiration for the IAM user by setting the
password_reset_required
attribute totrue
. - Set a password expiration policy for the IAM user to enforce regular password renewal.
- Consider setting a reasonable password length requirement to enhance security.
- Regularly review and update the credential policies to align with security and cloud standards.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_iam_user" "user" {
name = "my_user"
}
resource "aws_iam_user_login_profile" "user_profile" {
user = aws_iam_user.user.name
password_reset_required = true
password_length = 14
}
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_lowercase_characters = true
require_numbers = true
require_uppercase_characters = true
require_symbols = true
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 10
}
The updated code includes a new resource aws_iam_account_password_policy
which is used to enforce a strict password policy for the AWS account. This policy includes:
minimum_password_length
: This sets the minimum password length to 14 characters.require_lowercase_characters
: This ensures that the password includes at least one lowercase character.require_numbers
: This ensures that the password includes at least one numeric character.require_uppercase_characters
: This ensures that the password includes at least one uppercase character.require_symbols
: This ensures that the password includes at least one special character.allow_users_to_change_password
: This allows users to change their own passwords.max_password_age
: This sets the maximum password age to 90 days, enforcing password expiration and requiring users to change their passwords every 90 days.password_reuse_prevention
: This prevents users from reusing their last 10 passwords.
This policy aligns with good security practices by enforcing strong passwords and regular password changes.