Weak credential policy - Password Expiration
Need
Implementation of a strong credential policy with password expiration
Context
- Usage of Java 8 for developing applications with improved performance and features
- Usage of AWS Java SDK IAM library for managing AWS Identity and Access Management (IAM) services
- Usage of AWS Java SDK Core for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
import com.amazonaws.services.identitymanagement.model.GetAccountPasswordPolicyResult;
public class AwsIamPolicy {
private static final String ACCESS_KEY = "YOUR_ACCESS_KEY";
private static final String SECRET_KEY = "YOUR_SECRET_KEY";
public static void main(String[] args) {
AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY);
AmazonIdentityManagement client = AmazonIdentityManagementClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.build();
GetAccountPasswordPolicyResult policyResult = client.getAccountPasswordPolicy();
System.out.println("Password Expiration: " + policyResult.getPasswordPolicy().getExpirePasswords());
}
}
This Java code snippet demonstrates the vulnerability of a weak credential policy, specifically the issue of not having a password expiration policy in place for an AWS IAM account.
The AwsIamPolicy class contains a main method which initializes the AWS credentials with ACCESS_KEY and SECRET_KEY. These credentials are then used to build an AmazonIdentityManagementClient.
The client then retrieves the account's password policy using the getAccountPasswordPolicy method. The result of this method call is an object of GetAccountPasswordPolicyResult class which contains the password policy details for the IAM account.
Finally, the code prints whether password expiration is enabled or not by calling getExpirePasswords on the password policy. If the output of this is false, it means that the password expiration is not enabled, which is a security vulnerability.
Good security practices suggest that credentials (passwords) should be renewed in 90-day periods. If the password expiration is set to disable, it means that the same password can be used indefinitely, making it susceptible to brute-force and other password-related attacks.
Steps
- Enable password expiration in the AWS IAM policy
- Set the password expiration period to 90 days
Compliant code
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
import com.amazonaws.services.identitymanagement.model.GetAccountPasswordPolicyResult;
import com.amazonaws.services.identitymanagement.model.UpdateAccountPasswordPolicyRequest;
public class AwsIamPolicy {
private static final String ACCESS_KEY = "YOUR_ACCESS_KEY";
private static final String SECRET_KEY = "YOUR_SECRET_KEY";
public static void main(String[] args) {
AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY);
AmazonIdentityManagement client = AmazonIdentityManagementClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.build();
UpdateAccountPasswordPolicyRequest updateRequest = new UpdateAccountPasswordPolicyRequest()
.withMaxPasswordAge(90) // Set password expiration to 90 days
.withPasswordReusePrevention(5) // Prevent reuse of last 5 passwords
.withRequireSymbols(true) // Require at least one symbol
.withRequireNumbers(true) // Require at least one number
.withRequireUppercaseCharacters(true) // Require at least one uppercase letter
.withRequireLowercaseCharacters(true); // Require at least one lowercase letter
client.updateAccountPasswordPolicy(updateRequest);
GetAccountPasswordPolicyResult policyResult = client.getAccountPasswordPolicy();
System.out.println("Password Expiration: " + policyResult.getPasswordPolicy().getExpirePasswords());
}
}
The updated code now includes a call to updateAccountPasswordPolicy with a new UpdateAccountPasswordPolicyRequest object. This object is configured to set the password expiration period to 90 days, prevent the reuse of the last 5 passwords, and require at least one symbol, number, uppercase letter, and lowercase letter in the password.
This ensures that the AWS IAM policy now has a strong password policy, which includes password expiration. After updating the password policy, the code retrieves the current account password policy and prints whether password expiration is enabled.