Enforcement of strong credential policy - Password Expiration
require 'aws-sdk-iam' # aws sdk gem for IAM
iam = Aws::IAM::Client.new(region: 'us-west-2')
# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})
# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})
# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})
# Create a password policy
iam.update_account_password_policy({
minimum_password_length: 8,
require_symbols: true,
require_numbers: true,
require_uppercase_characters: true,
require_lowercase_characters: true,
allow_users_to_change_password: true,
password_reuse_prevention: 3,
hard_expiry: false, # Password expiration flag is disabled
})
In the above code, we are using AWS SDK for IAM to manage AWS IAM users, groups and password policies.
First, we create an IAM client with the region 'us-west-2'. Then, we create an IAM group named 'MyGroovyGroup' and a user named 'MyGroovyUser'. We then add the user to the group.
Next, we create a password policy with the following attributes:
- minimum_password_length: 8
- require_symbols: true
- require_numbers: true
- require_uppercase_characters: true
- require_lowercase_characters: true
- allow_users_to_change_password: true
- password_reuse_prevention: 3
- hard_expiry: false
The vulnerability lies in the
hard_expiry: false line. This line disables the password expiration flag. This means that the password for the IAM user 'MyGroovyUser' will not expire, which is a security risk.
Good security practices suggest that credentials should be renewed in 90 day periods. Therefore, the
hard_expiry flag should be set to
true and the
max_password_age should be set to 90. This will ensure that the password expires every 90 days, prompting the user to change their password and thereby enhancing the security of the application.
require 'aws-sdk-iam' # aws sdk gem for IAM
iam = Aws::IAM::Client.new(region: 'us-west-2')
# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})
# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})
# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})
# Create a password policy
iam.update_account_password_policy({
minimum_password_length: 8,
require_symbols: true,
require_numbers: true,
require_uppercase_characters: true,
require_lowercase_characters: true,
allow_users_to_change_password: true,
password_reuse_prevention: 3,
hard_expiry: true, # Password expiration flag is enabled
max_password_age: 90 # Password expiration period is set to 90 days
})
The updated code now includes a password policy that enforces password expiration every 90 days. This is achieved by setting the
hard_expiry flag to
true and the
max_password_age to
90.
The
hard_expiry flag, when set to
true, enables password expiration. The
max_password_age parameter sets the maximum number of days that an IAM user's password is valid. When the specified number of days since IAM user's password was last changed is exceeded, the IAM user is no longer allowed to use the AWS Management Console, but they can still access AWS services through the AWS CLI or AWS API.
This change ensures that the AWS IAM policy adheres to good security practices by requiring credentials to be renewed every 90 days.