logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Weak credential policy - Password strength - Aws

Need

Implementation of a strong password policy

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of AWS IAM User for managing user access and permissions in AWS
  3. Usage of aws_iam_user_login_profile for managing login profiles for AWS IAM users

Description

Insecure Code Example

resource "aws_iam_user_login_profile" "user" {
  user = "${aws_iam_user.user.name}"
  pgp_key = "keybase:some_person_that_exists"
}

In the above code snippet, we are creating an IAM user login profile without enforcing any password policy. This means that the IAM user can have a weak password, which is a security risk. The policy does not enforce password length, complexity, or expiration, which are all recommended for a strong credential policy. A weak password policy can lead to unauthorized access if the password is easily guessed or brute-forced. It is recommended to enforce a strong password policy that includes a minimum password length, complexity requirements (including numbers, uppercase letters, lowercase letters, and non-alphanumeric characters), and password expiration.

Steps

  1. Update the credential policy to enforce strong password requirements.
  2. Require the use of phrases instead of word-based passwords.
  3. Implement a password complexity policy that includes a minimum length, a mix of uppercase and lowercase letters, numbers, and special characters.
  4. Consider implementing multi-factor authentication (MFA) for added security.
  5. Regularly educate users on the importance of strong passwords and the risks associated with weak passwords.
  6. Periodically review and update the credential policy to align with industry best practices.

Secure Code Example

resource "aws_iam_user_login_profile" "user" {
  user    = "${aws_iam_user.user.name}"
  pgp_key = "keybase:some_person_that_exists"
  password_length = 14
  password_reset_required = true
  require_uppercase_characters = true
  require_lowercase_characters = true
  require_numbers = true
  require_symbols = true
}

The updated code now enforces a strong password policy for the AWS IAM user. Here's what each attribute does: - `user`: This is the IAM user's name. - `pgp_key`: This is the keybase username of the person who will initially get the password. - `password_length`: This sets the minimum password length to 14 characters. You can increase this number based on your security requirements. - `password_reset_required`: This forces the user to change their password the next time they log in. - `require_uppercase_characters`: This ensures that the password must contain at least one uppercase letter. - `require_lowercase_characters`: This ensures that the password must contain at least one lowercase letter. - `require_numbers`: This ensures that the password must contain at least one number. - `require_symbols`: This ensures that the password must contain at least one special character. This policy significantly improves the strength of the password, making it harder for attackers to guess or brute-force the password. It's also recommended to implement multi-factor authentication (MFA) for added security and to regularly educate users on the importance of strong passwords and the risks associated with weak passwords.

References

  • 363 - Weak credential policy - Password strength

    • Last updated

    2023/09/18