Weak credential policy - Password strength - Cloudformation

Need

Implementation of a strong password policy

Context

1. Usage of CloudFormation for Infrastructure as Code (IaC)
2. Usage of AWS IAM for managing user access and permissions

Description

Insecure Code Example

Resources:
  WeakIAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: my-user

  WeakLoginProfile:
    Type: AWS::IAM::LoginProfile
    Properties:
      UserName: !Ref WeakIAMUser
      Password: "TemporaryPassword123"
      PasswordResetRequired: false

This CloudFormation example creates an IAM user but does not enforce any account-level password policy. Without such a policy, users can set weak passwords, making accounts more susceptible to brute-force or guessing attacks.

Steps

1. Add an `AWS::IAM::AccountPasswordPolicy` resource to the CloudFormation template.
2. Set `MinimumPasswordLength` to at least 14.
3. Require uppercase, lowercase, numeric, and special characters.
4. Optionally configure password reuse prevention and expiration.
5. Educate users on strong password usage and enforce MFA where possible.

Secure Code Example

Resources:
  StrongPasswordPolicy:
    Type: AWS::IAM::AccountPasswordPolicy
    Properties:
      MinimumPasswordLength: 14
      RequireUppercaseCharacters: true
      RequireLowercaseCharacters: true
      RequireNumbers: true
      RequireSymbols: true
      AllowUsersToChangePassword: true
      PasswordReusePrevention: 5
      MaxPasswordAge: 90

This CloudFormation example includes a strong password policy using the AWS::IAM::AccountPasswordPolicy resource. It enforces complexity requirements such as minimum length, uppercase, lowercase, numbers, symbols, and password expiration.

References

Last updated

2025/04/04