Weak credential policy - Password Expiration

Need

Enforcement of strong credential policy - Password Expiration

Context

Usage of Ruby for building dynamic and object-oriented applications
Usage of aws-sdk-iam for managing AWS Identity and Access Management (IAM) resources

Description

Non compliant code

require 'aws-sdk-iam'  # aws sdk gem for IAM

iam = Aws::IAM::Client.new(region: 'us-west-2')

# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})

# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})

# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})

# Create a password policy
iam.update_account_password_policy({
  minimum_password_length: 8,
  require_symbols: true,
  require_numbers: true,
  require_uppercase_characters: true,
  require_lowercase_characters: true,
  allow_users_to_change_password: true,
  password_reuse_prevention: 3,
  hard_expiry: false,   # Password expiration flag is disabled
})

In the above code, we are using AWS SDK for IAM to manage AWS IAM users, groups and password policies.

First, we create an IAM client with the region 'us-west-2'. Then, we create an IAM group named 'MyGroovyGroup' and a user named 'MyGroovyUser'. We then add the user to the group.

Next, we create a password policy with the following attributes:

minimum_password_length: 8
require_symbols: true
require_numbers: true
require_uppercase_characters: true
require_lowercase_characters: true
allow_users_to_change_password: true
password_reuse_prevention: 3
hard_expiry: false

The vulnerability lies in the hard_expiry: false line. This line disables the password expiration flag. This means that the password for the IAM user 'MyGroovyUser' will not expire, which is a security risk.

Good security practices suggest that credentials should be renewed in 90 day periods. Therefore, the hard_expiry flag should be set to true and the max_password_age should be set to 90. This will ensure that the password expires every 90 days, prompting the user to change their password and thereby enhancing the security of the application.

Steps

Enable password expiration in the AWS IAM policy
Set the password expiration period to 90 days
Update the code to reflect the changes in the IAM policy

Compliant code

require 'aws-sdk-iam'  # aws sdk gem for IAM

iam = Aws::IAM::Client.new(region: 'us-west-2')

# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})

# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})

# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})

# Create a password policy
iam.update_account_password_policy({
  minimum_password_length: 8,
  require_symbols: true,
  require_numbers: true,
  require_uppercase_characters: true,
  require_lowercase_characters: true,
  allow_users_to_change_password: true,
  password_reuse_prevention: 3,
  hard_expiry: true,   # Password expiration flag is enabled
  max_password_age: 90 # Password expiration period is set to 90 days
})

The updated code now includes a password policy that enforces password expiration every 90 days. This is achieved by setting the hard_expiry flag to true and the max_password_age to 90.

The hard_expiry flag, when set to true, enables password expiration. The max_password_age parameter sets the maximum number of days that an IAM user's password is valid. When the specified number of days since IAM user's password was last changed is exceeded, the IAM user is no longer allowed to use the AWS Management Console, but they can still access AWS services through the AWS CLI or AWS API.

This change ensures that the AWS IAM policy adheres to good security practices by requiring credentials to be renewed every 90 days.

References

277.Weak credential policy - Password Expiration

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​