Weak credential policy - Password strength
Need
Implementation of a strong password policy
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS IAM User for managing user access and permissions in AWS
- Usage of aws_iam_user_login_profile for managing login profiles for AWS IAM users
Description
Non compliant code
resource "aws_iam_user_login_profile" "user" {
user = "${aws_iam_user.user.name}"
pgp_key = "keybase:some_person_that_exists"
}
In the above code snippet, we are creating an IAM user login profile without enforcing any password policy. This means that the IAM user can have a weak password, which is a security risk. The policy does not enforce password length, complexity, or expiration, which are all recommended for a strong credential policy.
A weak password policy can lead to unauthorized access if the password is easily guessed or brute-forced. It is recommended to enforce a strong password policy that includes a minimum password length, complexity requirements (including numbers, uppercase letters, lowercase letters, and non-alphanumeric characters), and password expiration.
Steps
- Update the credential policy to enforce strong password requirements.
- Require the use of phrases instead of word-based passwords.
- Implement a password complexity policy that includes a minimum length, a mix of uppercase and lowercase letters, numbers, and special characters.
- Consider implementing multi-factor authentication (MFA) for added security.
- Regularly educate users on the importance of strong passwords and the risks associated with weak passwords.
- Periodically review and update the credential policy to align with industry best practices.
Compliant code
resource "aws_iam_user_login_profile" "user" {
user = "${aws_iam_user.user.name}"
pgp_key = "keybase:some_person_that_exists"
password_length = 14
password_reset_required = true
require_uppercase_characters = true
require_lowercase_characters = true
require_numbers = true
require_symbols = true
}
The updated code now enforces a strong password policy for the AWS IAM user. Here's what each attribute does:
user
: This is the IAM user's name.pgp_key
: This is the keybase username of the person who will initially get the password.password_length
: This sets the minimum password length to 14 characters. You can increase this number based on your security requirements.password_reset_required
: This forces the user to change their password the next time they log in.require_uppercase_characters
: This ensures that the password must contain at least one uppercase letter.require_lowercase_characters
: This ensures that the password must contain at least one lowercase letter.require_numbers
: This ensures that the password must contain at least one number.require_symbols
: This ensures that the password must contain at least one special character.
This policy significantly improves the strength of the password, making it harder for attackers to guess or brute-force the password. It's also recommended to implement multi-factor authentication (MFA) for added security and to regularly educate users on the importance of strong passwords and the risks associated with weak passwords.