Weak credential policy - Password Expiration - Ruby
Need
Enforcement of strong credential policy - Password Expiration
Context
- Usage of Ruby for building dynamic and object-oriented applications
- Usage of aws-sdk-iam for managing AWS Identity and Access Management (IAM) resources
Description
Insecure Code Example
require 'aws-sdk-iam' # aws sdk gem for IAM
iam = Aws::IAM::Client.new(region: 'us-west-2')
# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})
# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})
# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})
# Create a password policy
iam.update_account_password_policy({
minimum_password_length: 8,
require_symbols: true,
require_numbers: true,
require_uppercase_characters: true,
require_lowercase_characters: true,
allow_users_to_change_password: true,
password_reuse_prevention: 3,
hard_expiry: false, # Password expiration flag is disabled
})In the above code, we are using AWS SDK for IAM to manage AWS IAM users, groups and password policies. First, we create an IAM client with the region 'us-west-2'. Then, we create an IAM group named 'MyGroovyGroup' and a user named 'MyGroovyUser'. We then add the user to the group. Next, we create a password policy with the following attributes: - minimum_password_length: 8 - require_symbols: true - require_numbers: true - require_uppercase_characters: true - require_lowercase_characters: true - allow_users_to_change_password: true - password_reuse_prevention: 3 - hard_expiry: false The vulnerability lies in the `hard_expiry: false` line. This line disables the password expiration flag. This means that the password for the IAM user 'MyGroovyUser' will not expire, which is a security risk. Good security practices suggest that credentials should be renewed in 90 day periods. Therefore, the `hard_expiry` flag should be set to `true` and the `max_password_age` should be set to 90. This will ensure that the password expires every 90 days, prompting the user to change their password and thereby enhancing the security of the application.
Steps
- Enable password expiration in the AWS IAM policy
- Set the password expiration period to 90 days
- Update the code to reflect the changes in the IAM policy
Secure Code Example
require 'aws-sdk-iam' # aws sdk gem for IAM
iam = Aws::IAM::Client.new(region: 'us-west-2')
# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})
# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})
# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})
# Create a password policy
iam.update_account_password_policy({
minimum_password_length: 8,
require_symbols: true,
require_numbers: true,
require_uppercase_characters: true,
require_lowercase_characters: true,
allow_users_to_change_password: true,
password_reuse_prevention: 3,
hard_expiry: true, # Password expiration flag is enabled
max_password_age: 90 # Password expiration period is set to 90 days
})The updated code now includes a password policy that enforces password expiration every 90 days. This is achieved by setting the `hard_expiry` flag to `true` and the `max_password_age` to `90`. The `hard_expiry` flag, when set to `true`, enables password expiration. The `max_password_age` parameter sets the maximum number of days that an IAM user's password is valid. When the specified number of days since IAM user's password was last changed is exceeded, the IAM user is no longer allowed to use the AWS Management Console, but they can still access AWS services through the AWS CLI or AWS API. This change ensures that the AWS IAM policy adheres to good security practices by requiring credentials to be renewed every 90 days.
References
Last updated
2023/09/18