Weak credential policy - Password Expiration - Ruby

Weak credential policy - Password Expiration - Ruby

Need

Enforcement of strong credential policy - Password Expiration

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of aws-sdk-iam for managing AWS Identity and Access Management (IAM) resources

Description

Non compliant code

        require 'aws-sdk-iam'  # aws sdk gem for IAM

iam = Aws::IAM::Client.new(region: 'us-west-2')

# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})

# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})

# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})

# Create a password policy
iam.update_account_password_policy({
  minimum_password_length: 8,
  require_symbols: true,
  require_numbers: true,
  require_uppercase_characters: true,
  require_lowercase_characters: true,
  allow_users_to_change_password: true,
  password_reuse_prevention: 3,
  hard_expiry: false,   # Password expiration flag is disabled
})
        
        

In the above code, we are using AWS SDK for IAM to manage AWS IAM users, groups and password policies.

First, we create an IAM client with the region 'us-west-2'. Then, we create an IAM group named 'MyGroovyGroup' and a user named 'MyGroovyUser'. We then add the user to the group.

Next, we create a password policy with the following attributes:
- minimum_password_length: 8
- require_symbols: true
- require_numbers: true
- require_uppercase_characters: true
- require_lowercase_characters: true
- allow_users_to_change_password: true
- password_reuse_prevention: 3
- hard_expiry: false

The vulnerability lies in the hard_expiry: false line. This line disables the password expiration flag. This means that the password for the IAM user 'MyGroovyUser' will not expire, which is a security risk.

Good security practices suggest that credentials should be renewed in 90 day periods. Therefore, the hard_expiry flag should be set to true and the max_password_age should be set to 90. This will ensure that the password expires every 90 days, prompting the user to change their password and thereby enhancing the security of the application.

Steps

  • Enable password expiration in the AWS IAM policy
  • Set the password expiration period to 90 days
  • Update the code to reflect the changes in the IAM policy

Compliant code

        require 'aws-sdk-iam'  # aws sdk gem for IAM

iam = Aws::IAM::Client.new(region: 'us-west-2')

# Create an IAM group
group = iam.create_group({group_name: 'MyGroovyGroup'})

# Create an IAM user
user = iam.create_user({user_name: 'MyGroovyUser'})

# Add the user to the group
iam.add_user_to_group({group_name: 'MyGroovyGroup', user_name: 'MyGroovyUser'})

# Create a password policy
iam.update_account_password_policy({
  minimum_password_length: 8,
  require_symbols: true,
  require_numbers: true,
  require_uppercase_characters: true,
  require_lowercase_characters: true,
  allow_users_to_change_password: true,
  password_reuse_prevention: 3,
  hard_expiry: true,   # Password expiration flag is enabled
  max_password_age: 90 # Password expiration period is set to 90 days
})
        
        

The updated code now includes a password policy that enforces password expiration every 90 days. This is achieved by setting the hard_expiry flag to true and the max_password_age to 90.

The hard_expiry flag, when set to true, enables password expiration. The max_password_age parameter sets the maximum number of days that an IAM user's password is valid. When the specified number of days since IAM user's password was last changed is exceeded, the IAM user is no longer allowed to use the AWS Management Console, but they can still access AWS services through the AWS CLI or AWS API.

This change ensures that the AWS IAM policy adheres to good security practices by requiring credentials to be renewed every 90 days.

References