Need

Enforcement of strong password expiration policy

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_iam_user" "user" {
  name = "my_user"
}

resource "aws_iam_user_login_profile" "user_profile" {
  user    = aws_iam_user.user.name
  password_reset_required = true
  password_length = 14
}
        
        

In the code above, we are defining an AWS IAM user named "my_user" using Terraform. We also define a login profile for this user with the aws_iam_user_login_profile resource.

The password_reset_required attribute is set to true, which means that the user is forced to change their password the next time they sign in.

The password_length attribute is set to 14, which defines the minimum length of the password.

However, the code does not enforce password expiration. This means that the password for the user will not automatically expire after a certain period of time, which is a potential security vulnerability.

Good security practices suggest that credentials should be renewed in 90-day periods. Without a password expiration policy, an attacker who has gained access to a user's credentials could continue to have access indefinitely, as long as the password remains unchanged.

Steps

• Enable password expiration for the IAM user by setting the `password_reset_required` attribute to `true`.
• Set a password expiration policy for the IAM user to enforce regular password renewal.
• Consider setting a reasonable password length requirement to enhance security.
• Regularly review and update the credential policies to align with security and cloud standards.

Compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_iam_user" "user" {
  name = "my_user"
}

resource "aws_iam_user_login_profile" "user_profile" {
  user    = aws_iam_user.user.name
  password_reset_required = true
  password_length = 14
}

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
  max_password_age               = 90
  password_reuse_prevention      = 10
}
        
        

The updated code includes a new resource aws_iam_account_password_policy which is used to enforce a strict password policy for the AWS account. This policy includes:

- minimum_password_length: This sets the minimum password length to 14 characters.
- require_lowercase_characters: This ensures that the password includes at least one lowercase character.
- require_numbers: This ensures that the password includes at least one numeric character.
- require_uppercase_characters: This ensures that the password includes at least one uppercase character.
- require_symbols: This ensures that the password includes at least one special character.
- allow_users_to_change_password: This allows users to change their own passwords.
- max_password_age: This sets the maximum password age to 90 days, enforcing password expiration and requiring users to change their passwords every 90 days.
- password_reuse_prevention: This prevents users from reusing their last 10 passwords.

This policy aligns with good security practices by enforcing strong passwords and regular password changes.

References

• 277. Weak credential policy - Password Expiration