Weak credential policy - Password strength - Aws

Weak credential policy - Password strength - Aws

Need

Implementation of a strong password policy

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of AWS IAM User for managing user access and permissions in AWS
  • Usage of aws_iam_user_login_profile for managing login profiles for AWS IAM users

Description

Non compliant code

        resource "aws_iam_user_login_profile" "user" {
  user = "${aws_iam_user.user.name}"
  pgp_key = "keybase:some_person_that_exists"
}
        
        

In the above code snippet, we are creating an IAM user login profile without enforcing any password policy. This means that the IAM user can have a weak password, which is a security risk. The policy does not enforce password length, complexity, or expiration, which are all recommended for a strong credential policy.

A weak password policy can lead to unauthorized access if the password is easily guessed or brute-forced. It is recommended to enforce a strong password policy that includes a minimum password length, complexity requirements (including numbers, uppercase letters, lowercase letters, and non-alphanumeric characters), and password expiration.

Steps

  • Update the credential policy to enforce strong password requirements.
  • Require the use of phrases instead of word-based passwords.
  • Implement a password complexity policy that includes a minimum length, a mix of uppercase and lowercase letters, numbers, and special characters.
  • Consider implementing multi-factor authentication (MFA) for added security.
  • Regularly educate users on the importance of strong passwords and the risks associated with weak passwords.
  • Periodically review and update the credential policy to align with industry best practices.

Compliant code

        resource "aws_iam_user_login_profile" "user" {
  user    = "${aws_iam_user.user.name}"
  pgp_key = "keybase:some_person_that_exists"
  password_length = 14
  password_reset_required = true
  require_uppercase_characters = true
  require_lowercase_characters = true
  require_numbers = true
  require_symbols = true
}
        
        

The updated code now enforces a strong password policy for the AWS IAM user. Here's what each attribute does:

- user: This is the IAM user's name.
- pgp_key: This is the keybase username of the person who will initially get the password.
- password_length: This sets the minimum password length to 14 characters. You can increase this number based on your security requirements.
- password_reset_required: This forces the user to change their password the next time they log in.
- require_uppercase_characters: This ensures that the password must contain at least one uppercase letter.
- require_lowercase_characters: This ensures that the password must contain at least one lowercase letter.
- require_numbers: This ensures that the password must contain at least one number.
- require_symbols: This ensures that the password must contain at least one special character.

This policy significantly improves the strength of the password, making it harder for attackers to guess or brute-force the password. It's also recommended to implement multi-factor authentication (MFA) for added security and to regularly educate users on the importance of strong passwords and the risks associated with weak passwords.

References