Enhancement of credential policy for temporary passwords
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["iam:ChangePassword"]
resources = [aws_iam_user.example.arn]
}
}
resource "aws_iam_user_policy" "example" {
name = "example_policy"
user = aws_iam_user.example.name
policy = data.aws_iam_policy_document.example.json
}
The above Terraform code creates an IAM user and a login profile for the user without enforcing any password policy. The
aws_iam_user_login_profile resource is used to create a login profile for the IAM user, which allows the user to sign-in to the AWS Management Console. The password for the user is provided by the
pgp_key argument, which is currently set to a static value.
Moreover, the code attaches a policy to the user allowing them to change their password (
iam:ChangePassword). However, the policy does not enforce any rules for password strength. This means that users can choose weak passwords, which is a security risk.
This lack of a strong credential policy for temporary passwords poses a serious security threat as it makes the system susceptible to brute force and password guessing attacks. The absence of a password complexity requirement means that users could potentially choose easily guessable passwords, thus compromising the security of the system.
resource "aws_iam_user" "example" {
name = "example_user"
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
password_length = 20
password_reset_required = true
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["iam:ChangePassword"]
resources = [aws_iam_user.example.arn]
}
}
resource "aws_iam_user_policy" "example" {
name = "example_policy"
user = aws_iam_user.example.name
policy = data.aws_iam_policy_document.example.json
}
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 20
require_symbols = true
require_numbers = true
require_uppercase_characters = true
require_lowercase_characters = true
allow_users_to_change_password = true
max_password_age = 7
password_reuse_prevention = 5
hard_expiry = true
}
The updated code includes a strong password policy for temporary passwords. The
aws_iam_user_login_profile resource now includes a
password_length attribute set to 20 and a
password_reset_required attribute set to true. This ensures that the temporary password is long and complex, and that the user is required to change it upon their next login.
The
aws_iam_account_password_policy resource has been added to enforce a strict password policy across the account. This policy includes a minimum password length of 20 characters, requirements for symbols, numbers, uppercase characters, and lowercase characters, and a maximum password age of 7 days. It also prevents password reuse and requires a password change if the password has expired.
This updated code helps to mitigate the risk of weak temporary passwords by enforcing a strong password policy and requiring users to change their temporary passwords promptly.