Weak credential policy - Password Expiration
Need
Enforcement of strong credential policy - Password Expiration
Context
- Usage of Ruby for building dynamic and object-oriented applications
- Usage of aws-sdk-iam for managing AWS Identity and Access Management (IAM) resources
Description
Non compliant code
require 'aws-sdk-iam' # aws sdk gem for IAM
iam = Aws::IAM::Client.new(region: 'us-west-2')
# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})
# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})
# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})
# Create a password policy
iam.update_account_password_policy({
minimum_password_length: 8,
require_symbols: true,
require_numbers: true,
require_uppercase_characters: true,
require_lowercase_characters: true,
allow_users_to_change_password: true,
password_reuse_prevention: 3,
hard_expiry: false, # Password expiration flag is disabled
})
In the above code, we are using AWS SDK for IAM to manage AWS IAM users, groups and password policies.
First, we create an IAM client with the region 'us-west-2'. Then, we create an IAM group named 'MyGroovyGroup' and a user named 'MyGroovyUser'. We then add the user to the group.
Next, we create a password policy with the following attributes:
- minimum_password_length: 8
- require_symbols: true
- require_numbers: true
- require_uppercase_characters: true
- require_lowercase_characters: true
- allow_users_to_change_password: true
- password_reuse_prevention: 3
- hard_expiry: false
The vulnerability lies in the hard_expiry: false
line. This line disables the password expiration flag. This means that the password for the IAM user 'MyGroovyUser' will not expire, which is a security risk.
Good security practices suggest that credentials should be renewed in 90 day periods. Therefore, the hard_expiry
flag should be set to true
and the max_password_age
should be set to 90. This will ensure that the password expires every 90 days, prompting the user to change their password and thereby enhancing the security of the application.
Steps
- Enable password expiration in the AWS IAM policy
- Set the password expiration period to 90 days
- Update the code to reflect the changes in the IAM policy
Compliant code
require 'aws-sdk-iam' # aws sdk gem for IAM
iam = Aws::IAM::Client.new(region: 'us-west-2')
# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})
# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})
# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})
# Create a password policy
iam.update_account_password_policy({
minimum_password_length: 8,
require_symbols: true,
require_numbers: true,
require_uppercase_characters: true,
require_lowercase_characters: true,
allow_users_to_change_password: true,
password_reuse_prevention: 3,
hard_expiry: true, # Password expiration flag is enabled
max_password_age: 90 # Password expiration period is set to 90 days
})
The updated code now includes a password policy that enforces password expiration every 90 days. This is achieved by setting the hard_expiry
flag to true
and the max_password_age
to 90
.
The hard_expiry
flag, when set to true
, enables password expiration. The max_password_age
parameter sets the maximum number of days that an IAM user's password is valid. When the specified number of days since IAM user's password was last changed is exceeded, the IAM user is no longer allowed to use the AWS Management Console, but they can still access AWS services through the AWS CLI or AWS API.
This change ensures that the AWS IAM policy adheres to good security practices by requiring credentials to be renewed every 90 days.