Weak credential policy - Temporary passwords - Aws
Need
Enhancement of credential policy for temporary passwords
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Insecure Code Example
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["iam:ChangePassword"]
resources = [aws_iam_user.example.arn]
}
}
resource "aws_iam_user_policy" "example" {
name = "example_policy"
user = aws_iam_user.example.name
policy = data.aws_iam_policy_document.example.json
}The above Terraform code creates an IAM user and a login profile for the user without enforcing any password policy. The `aws_iam_user_login_profile` resource is used to create a login profile for the IAM user, which allows the user to sign-in to the AWS Management Console. The password for the user is provided by the `pgp_key` argument, which is currently set to a static value. Moreover, the code attaches a policy to the user allowing them to change their password (`iam:ChangePassword`). However, the policy does not enforce any rules for password strength. This means that users can choose weak passwords, which is a security risk. This lack of a strong credential policy for temporary passwords poses a serious security threat as it makes the system susceptible to brute force and password guessing attacks. The absence of a password complexity requirement means that users could potentially choose easily guessable passwords, thus compromising the security of the system.
Steps
- Implement a strong password policy for temporary passwords.
- Use a secure method to generate and store temporary passwords.
- Ensure that temporary passwords are only valid for a limited period of time.
- Enforce multi-factor authentication for users when they log in with temporary passwords.
- Regularly review and update the temporary password policy to align with best practices and industry standards.
Secure Code Example
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
password_length = 20
password_reset_required = true
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["iam:ChangePassword"]
resources = [aws_iam_user.example.arn]
}
}
resource "aws_iam_user_policy" "example" {
name = "example_policy"
user = aws_iam_user.example.name
policy = data.aws_iam_policy_document.example.json
}
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 20
require_symbols = true
require_numbers = true
require_uppercase_characters = true
require_lowercase_characters = true
allow_users_to_change_password = true
max_password_age = 7
password_reuse_prevention = 5
hard_expiry = true
}The updated code includes a strong password policy for temporary passwords. The `aws_iam_user_login_profile` resource now includes a `password_length` attribute set to 20 and a `password_reset_required` attribute set to true. This ensures that the temporary password is long and complex, and that the user is required to change it upon their next login. The `aws_iam_account_password_policy` resource has been added to enforce a strict password policy across the account. This policy includes a minimum password length of 20 characters, requirements for symbols, numbers, uppercase characters, and lowercase characters, and a maximum password age of 7 days. It also prevents password reuse and requires a password change if the password has expired. This updated code helps to mitigate the risk of weak temporary passwords by enforcing a strong password policy and requiring users to change their temporary passwords promptly.
References
Last updated
2023/09/18