Weak credential policy - Temporary passwords - Aws

Weak credential policy - Temporary passwords - Aws

Need

Enhancement of credential policy for temporary passwords

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Non compliant code

        resource "aws_iam_user" "example" {
  name = "example_user"
}

resource "aws_iam_user_login_profile" "example" {
  user    = aws_iam_user.example.name
  pgp_key = "keybase:some_person_that_exists"
}

data "aws_iam_policy_document" "example" {
  statement {
    actions   = ["iam:ChangePassword"]
    resources = [aws_iam_user.example.arn]
  }
}

resource "aws_iam_user_policy" "example" {
  name   = "example_policy"
  user   = aws_iam_user.example.name
  policy = data.aws_iam_policy_document.example.json
}
        
        

The above Terraform code creates an IAM user and a login profile for the user without enforcing any password policy. The aws_iam_user_login_profile resource is used to create a login profile for the IAM user, which allows the user to sign-in to the AWS Management Console. The password for the user is provided by the pgp_key argument, which is currently set to a static value.

Moreover, the code attaches a policy to the user allowing them to change their password ( iam:ChangePassword). However, the policy does not enforce any rules for password strength. This means that users can choose weak passwords, which is a security risk.

This lack of a strong credential policy for temporary passwords poses a serious security threat as it makes the system susceptible to brute force and password guessing attacks. The absence of a password complexity requirement means that users could potentially choose easily guessable passwords, thus compromising the security of the system.

Steps

  • Implement a strong password policy for temporary passwords.
  • Use a secure method to generate and store temporary passwords.
  • Ensure that temporary passwords are only valid for a limited period of time.
  • Enforce multi-factor authentication for users when they log in with temporary passwords.
  • Regularly review and update the temporary password policy to align with best practices and industry standards.

Compliant code

        resource "aws_iam_user" "example" {
  name = "example_user"
}

resource "aws_iam_user_login_profile" "example" {
  user    = aws_iam_user.example.name
  pgp_key = "keybase:some_person_that_exists"
  password_length = 20
  password_reset_required = true
}

data "aws_iam_policy_document" "example" {
  statement {
    actions   = ["iam:ChangePassword"]
    resources = [aws_iam_user.example.arn]
  }
}

resource "aws_iam_user_policy" "example" {
  name   = "example_policy"
  user   = aws_iam_user.example.name
  policy = data.aws_iam_policy_document.example.json
}

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 20
  require_symbols                = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_lowercase_characters   = true
  allow_users_to_change_password = true
  max_password_age               = 7
  password_reuse_prevention      = 5
  hard_expiry                    = true
}
        
        

The updated code includes a strong password policy for temporary passwords. The aws_iam_user_login_profile resource now includes a password_length attribute set to 20 and a password_reset_required attribute set to true. This ensures that the temporary password is long and complex, and that the user is required to change it upon their next login.

The aws_iam_account_password_policy resource has been added to enforce a strict password policy across the account. This policy includes a minimum password length of 20 characters, requirements for symbols, numbers, uppercase characters, and lowercase characters, and a maximum password age of 7 days. It also prevents password reuse and requires a password change if the password has expired.

This updated code helps to mitigate the risk of weak temporary passwords by enforcing a strong password policy and requiring users to change their temporary passwords promptly.

References