Weak credential policy - Password Expiration
Need
Implementation of a strong credential policy with password expiration
Context
• Usage of Java 8 for developing applications with improved performance and features
• Usage of AWS Java SDK IAM library for managing AWS Identity and Access Management (IAM) services
• Usage of AWS Java SDK Core for interacting with Amazon Web Services (AWS) services
Description
1. Non compliant code
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
import com.amazonaws.services.identitymanagement.model.GetAccountPasswordPolicyResult;
public class AwsIamPolicy {
private static final String SECRET_KEY = "YOUR_SECRET_KEY";...This Java code snippet demonstrates the vulnerability of a weak credential policy, specifically the issue of not having a password expiration policy in place for an AWS IAM account. The `AwsIamPolicy` class contains a `main` method which initializes the AWS credentials with `ACCESS_KEY` and `SECRET_KEY`. These credentials are then used to build an `AmazonIdentityManagementClient`. The client then retrieves the account's password policy using the `getAccountPasswordPolicy` method. The result of this method call is an object of `GetAccountPasswordPolicyResult` class which contains the password policy details for the IAM account. Finally, the code prints whether password expiration is enabled or not by calling `getExpirePasswords` on the password policy. If the output of this is `false`, it means that the password expiration is not enabled, which is a security vulnerability. Good security practices suggest that credentials (passwords) should be renewed in 90-day periods. If the password expiration is set to disable, it means that the same password can be used indefinitely, making it susceptible to brute-force and other password-related attacks.
2. Steps
• Enable password expiration in the AWS IAM policy
• Set the password expiration period to 90 days
3. Secure code example
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
import com.amazonaws.services.identitymanagement.model.GetAccountPasswordPolicyResult;
import com.amazonaws.services.identitymanagement.model.UpdateAccountPasswordPolicyRequest;
private static final String ACCESS_KEY = "YOUR_ACCESS_KEY";...The updated code now includes a call to `updateAccountPasswordPolicy` with a new `UpdateAccountPasswordPolicyRequest` object. This object is configured to set the password expiration period to 90 days, prevent the reuse of the last 5 passwords, and require at least one symbol, number, uppercase letter, and lowercase letter in the password. This ensures that the AWS IAM policy now has a strong password policy, which includes password expiration. After updating the password policy, the code retrieves the current account password policy and prints whether password expiration is enabled.