Weak credential policy - Password Expiration - Scala

Weak credential policy - Password Expiration - Scala

Need

Enforcement of password expiration policy

Context

  • Usage of Scala for building scalable and functional applications
  • Usage of AWS Java SDK IAM for managing AWS Identity and Access Management (IAM) services

Description

Non compliant code

        import com.amazonaws.services.identitymanagement.AmazonIdentityManagement
import com.amazonaws.services.identitymanagement.model.UpdateAccountPasswordPolicyRequest

val iam: AmazonIdentityManagement = ???

val request = new UpdateAccountPasswordPolicyRequest()
  .withMaxPasswordAge(0) // Passwords never expire

iam.updateAccountPasswordPolicy(request)

The code above is a Scala code snippet that uses the AWS SDK to set the IAM password policy.

The UpdateAccountPasswordPolicyRequest object is used to define the policy changes. The method withMaxPasswordAge is used to set the maximum password age in days. In this case, it is set to 0, which means that the passwords never expire.

This represents a security vulnerability because it means that users are not required to change their passwords regularly. If an attacker is able to obtain a user's password, they will have indefinite access to the user's account.

Good security practices suggest that credentials should be renewed in 90-day periods. This minimizes the potential damage if an attacker is able to obtain a user's credentials, as they will lose access after the password expires.

To fix this vulnerability, the withMaxPasswordAge should be set to 90 days.

Steps

  • Enable password expiration policy
  • Set a maximum password age of 90 days
  • Implement a mechanism to prompt users to change their passwords when they expire

Compliant code

        import com.amazonaws.services.identitymanagement.AmazonIdentityManagement
import com.amazonaws.services.identitymanagement.model.UpdateAccountPasswordPolicyRequest

val iam: AmazonIdentityManagement = ???

val request = new UpdateAccountPasswordPolicyRequest()
  .withMaxPasswordAge(90) // Passwords expire after 90 days

iam.updateAccountPasswordPolicy(request)

The updated code sets the maximum password age to 90 days. This means that IAM user passwords will expire after 90 days, and users will be required to change their passwords.

The UpdateAccountPasswordPolicyRequest method is used to update the password policy for the AWS account. The withMaxPasswordAge method is used to set the maximum password age for the policy.

By setting the maximum password age to 90 days, we ensure that passwords are not used indefinitely, reducing the risk of password-related security breaches. This is a good security practice as it ensures that old potentially compromised passwords are not used indefinitely.

The iam.updateAccountPasswordPolicy(request) line sends the request to update the password policy.

Please note that after this change, users will be prompted to change their passwords when they expire after 90 days. It's important to communicate this change to your users and provide them with instructions on how to change their passwords.

References