Weak credential policy - Password strength
Need
Implementation of a strong password policy
Context
• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of AWS IAM User for managing user access and permissions in AWS
• Usage of aws_iam_user_login_profile for managing login profiles for AWS IAM users
Description
1. Non compliant code
resource "aws_iam_user_login_profile" "user" {
user = "${aws_iam_user.user.name}"
pgp_key = "keybase:some_person_that_exists"
}In the above code snippet, we are creating an IAM user login profile without enforcing any password policy. This means that the IAM user can have a weak password, which is a security risk. The policy does not enforce password length, complexity, or expiration, which are all recommended for a strong credential policy. A weak password policy can lead to unauthorized access if the password is easily guessed or brute-forced. It is recommended to enforce a strong password policy that includes a minimum password length, complexity requirements (including numbers, uppercase letters, lowercase letters, and non-alphanumeric characters), and password expiration.
2. Steps
• Update the credential policy to enforce strong password requirements.
• Require the use of phrases instead of word-based passwords.
• Implement a password complexity policy that includes a minimum length, a mix of uppercase and lowercase letters, numbers, and special characters.
• Consider implementing multi-factor authentication (MFA) for added security.
• Regularly educate users on the importance of strong passwords and the risks associated with weak passwords.
• Periodically review and update the credential policy to align with industry best practices.
3. Secure code example
resource "aws_iam_user_login_profile" "user" {
user = "${aws_iam_user.user.name}"
pgp_key = "keybase:some_person_that_exists"
password_length = 14
password_reset_required = true
require_uppercase_characters = true
require_lowercase_characters = true
require_symbols = true...The updated code now enforces a strong password policy for the AWS IAM user. Here's what each attribute does: - `user`: This is the IAM user's name. - `pgp_key`: This is the keybase username of the person who will initially get the password. - `password_length`: This sets the minimum password length to 14 characters. You can increase this number based on your security requirements. - `password_reset_required`: This forces the user to change their password the next time they log in. - `require_uppercase_characters`: This ensures that the password must contain at least one uppercase letter. - `require_lowercase_characters`: This ensures that the password must contain at least one lowercase letter. - `require_numbers`: This ensures that the password must contain at least one number. - `require_symbols`: This ensures that the password must contain at least one special character. This policy significantly improves the strength of the password, making it harder for attackers to guess or brute-force the password. It's also recommended to implement multi-factor authentication (MFA) for added security and to regularly educate users on the importance of strong passwords and the risks associated with weak passwords.
References
• 363. Weak credential policy - Password strength