Weak credential policy - Temporary passwords
Need
Enhancement of credential policy for temporary passwords
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["iam:ChangePassword"]
resources = [aws_iam_user.example.arn]
}
}
resource "aws_iam_user_policy" "example" {
name = "example_policy"
user = aws_iam_user.example.name
policy = data.aws_iam_policy_document.example.json
}
The above Terraform code creates an IAM user and a login profile for the user without enforcing any password policy. The aws_iam_user_login_profile resource is used to create a login profile for the IAM user, which allows the user to sign-in to the AWS Management Console. The password for the user is provided by the pgp_key argument, which is currently set to a static value.
Moreover, the code attaches a policy to the user allowing them to change their password (iam:ChangePassword). However, the policy does not enforce any rules for password strength. This means that users can choose weak passwords, which is a security risk.
This lack of a strong credential policy for temporary passwords poses a serious security threat as it makes the system susceptible to brute force and password guessing attacks. The absence of a password complexity requirement means that users could potentially choose easily guessable passwords, thus compromising the security of the system.
Steps
- Implement a strong password policy for temporary passwords.
- Use a secure method to generate and store temporary passwords.
- Ensure that temporary passwords are only valid for a limited period of time.
- Enforce multi-factor authentication for users when they log in with temporary passwords.
- Regularly review and update the temporary password policy to align with best practices and industry standards.
Compliant code
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
password_length = 20
password_reset_required = true
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["iam:ChangePassword"]
resources = [aws_iam_user.example.arn]
}
}
resource "aws_iam_user_policy" "example" {
name = "example_policy"
user = aws_iam_user.example.name
policy = data.aws_iam_policy_document.example.json
}
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 20
require_symbols = true
require_numbers = true
require_uppercase_characters = true
require_lowercase_characters = true
allow_users_to_change_password = true
max_password_age = 7
password_reuse_prevention = 5
hard_expiry = true
}
The updated code includes a strong password policy for temporary passwords. The aws_iam_user_login_profile resource now includes a password_length attribute set to 20 and a password_reset_required attribute set to true. This ensures that the temporary password is long and complex, and that the user is required to change it upon their next login.
The aws_iam_account_password_policy resource has been added to enforce a strict password policy across the account. This policy includes a minimum password length of 20 characters, requirements for symbols, numbers, uppercase characters, and lowercase characters, and a maximum password age of 7 days. It also prevents password reuse and requires a password change if the password has expired.
This updated code helps to mitigate the risk of weak temporary passwords by enforcing a strong password policy and requiring users to change their temporary passwords promptly.