Weak credential policy - Temporary passwords
Need
Enhancement of credential policy for temporary passwords
Context
• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
1. Non compliant code
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
...The above Terraform code creates an IAM user and a login profile for the user without enforcing any password policy. The `aws_iam_user_login_profile` resource is used to create a login profile for the IAM user, which allows the user to sign-in to the AWS Management Console. The password for the user is provided by the `pgp_key` argument, which is currently set to a static value. Moreover, the code attaches a policy to the user allowing them to change their password (`iam:ChangePassword`). However, the policy does not enforce any rules for password strength. This means that users can choose weak passwords, which is a security risk. This lack of a strong credential policy for temporary passwords poses a serious security threat as it makes the system susceptible to brute force and password guessing attacks. The absence of a password complexity requirement means that users could potentially choose easily guessable passwords, thus compromising the security of the system.
2. Steps
• Implement a strong password policy for temporary passwords.
• Use a secure method to generate and store temporary passwords.
• Ensure that temporary passwords are only valid for a limited period of time.
• Enforce multi-factor authentication for users when they log in with temporary passwords.
• Regularly review and update the temporary password policy to align with best practices and industry standards.
3. Secure code example
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
password_reset_required = true...The updated code includes a strong password policy for temporary passwords. The `aws_iam_user_login_profile` resource now includes a `password_length` attribute set to 20 and a `password_reset_required` attribute set to true. This ensures that the temporary password is long and complex, and that the user is required to change it upon their next login. The `aws_iam_account_password_policy` resource has been added to enforce a strict password policy across the account. This policy includes a minimum password length of 20 characters, requirements for symbols, numbers, uppercase characters, and lowercase characters, and a maximum password age of 7 days. It also prevents password reuse and requires a password change if the password has expired. This updated code helps to mitigate the risk of weak temporary passwords by enforcing a strong password policy and requiring users to change their temporary passwords promptly.