logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Weak credential policy - Password Expiration - Aws

Need

Enforcement of strong password expiration policy

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of AWS SDK for interacting with Amazon Web Services

Description

Insecure Code Example

provider "aws" {
  region = "us-west-2"
}

resource "aws_iam_user" "user" {
  name = "my_user"
}

resource "aws_iam_user_login_profile" "user_profile" {
  user    = aws_iam_user.user.name
  password_reset_required = true
  password_length = 14
}

In the code above, we are defining an AWS IAM user named "my_user" using Terraform. We also define a login profile for this user with the `aws_iam_user_login_profile` resource. The `password_reset_required` attribute is set to `true`, which means that the user is forced to change their password the next time they sign in. The `password_length` attribute is set to `14`, which defines the minimum length of the password. However, the code does not enforce password expiration. This means that the password for the user will not automatically expire after a certain period of time, which is a potential security vulnerability. Good security practices suggest that credentials should be renewed in 90-day periods. Without a password expiration policy, an attacker who has gained access to a user's credentials could continue to have access indefinitely, as long as the password remains unchanged.

Steps

  1. Enable password expiration for the IAM user by setting the `password_reset_required` attribute to `true`.
  2. Set a password expiration policy for the IAM user to enforce regular password renewal.
  3. Consider setting a reasonable password length requirement to enhance security.
  4. Regularly review and update the credential policies to align with security and cloud standards.

Secure Code Example

provider "aws" {
  region = "us-west-2"
}

resource "aws_iam_user" "user" {
  name = "my_user"
}

resource "aws_iam_user_login_profile" "user_profile" {
  user    = aws_iam_user.user.name
  password_reset_required = true
  password_length = 14
}

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
  max_password_age               = 90
  password_reuse_prevention      = 10
}

The updated code includes a new resource `aws_iam_account_password_policy` which is used to enforce a strict password policy for the AWS account. This policy includes: - `minimum_password_length`: This sets the minimum password length to 14 characters. - `require_lowercase_characters`: This ensures that the password includes at least one lowercase character. - `require_numbers`: This ensures that the password includes at least one numeric character. - `require_uppercase_characters`: This ensures that the password includes at least one uppercase character. - `require_symbols`: This ensures that the password includes at least one special character. - `allow_users_to_change_password`: This allows users to change their own passwords. - `max_password_age`: This sets the maximum password age to 90 days, enforcing password expiration and requiring users to change their passwords every 90 days. - `password_reuse_prevention`: This prevents users from reusing their last 10 passwords. This policy aligns with good security practices by enforcing strong passwords and regular password changes.

References

  • 277 - Weak credential policy - Password Expiration

    • Last updated

    2023/09/18