Complex Password Policy Should Be Present

More Info:

Password policy should be complex enough so that users can set passwords which are not easy to guess and crack.

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, ISO27001, PCIDSS, GDPR, CISAWS, CBP, NIST, HITRUST, AWSWAF, SOC2, NISTCSF

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent the misconfiguration of not having a complex password policy in AWS IAM using the AWS CLI, you can follow these steps:

Set Minimum Password Length: Ensure that the password policy enforces a minimum length for passwords. This helps in making passwords harder to guess.
```
aws iam update-account-password-policy --minimum-password-length 12
```
Require at Least One Uppercase Letter: Enforce the inclusion of at least one uppercase letter in the password to increase complexity.
```
aws iam update-account-password-policy --require-uppercase-characters
```
Require at Least One Lowercase Letter: Enforce the inclusion of at least one lowercase letter in the password to ensure a mix of character cases.
```
aws iam update-account-password-policy --require-lowercase-characters
```
Require at Least One Number and One Special Character: Ensure that the password includes at least one numeric digit and one special character to further enhance security.
```
aws iam update-account-password-policy --require-numbers --require-symbols
```

By executing these commands, you can enforce a complex password policy in AWS IAM, thereby preventing the misconfiguration of having weak password policies.

Using Python

To prevent the misconfiguration of not having a complex password policy in IAM using Python scripts, you can follow these steps for AWS, Azure, and GCP:

AWS (Boto3)

Install Boto3: Ensure you have the Boto3 library installed. You can install it using pip if you haven’t already:
```
pip install boto3
```

Create a Python Script to Set Password Policy: Use the following script to set a complex password policy in AWS IAM:

import boto3

# Create an IAM client
iam = boto3.client('iam')

# Define the password policy
password_policy = {
    'MinimumPasswordLength': 12,
    'RequireSymbols': True,
    'RequireNumbers': True,
    'RequireUppercaseCharacters': True,
    'RequireLowercaseCharacters': True,
    'AllowUsersToChangePassword': True,
    'ExpirePasswords': True,
    'MaxPasswordAge': 90,
    'PasswordReusePrevention': 5
}

# Set the password policy
response = iam.update_account_password_policy(**password_policy)
print("Password policy updated:", response)

Azure (Azure SDK for Python)

Install Azure Identity and Management Libraries: Ensure you have the Azure libraries installed:
```
pip install azure-identity azure-mgmt-authorization
```

Create a Python Script to Set Password Policy: Use the following script to set a complex password policy in Azure AD:

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

# Initialize the Azure credentials and client
credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'
client = AuthorizationManagementClient(credential, subscription_id)

# Define the password policy (Note: Azure AD password policies are managed via Azure AD B2C or Conditional Access Policies)
# This is a placeholder as Azure AD password policies are not directly managed via the SDK
password_policy = {
    'minimum_length': 12,
    'require_uppercase': True,
    'require_lowercase': True,
    'require_numbers': True,
    'require_symbols': True,
    'max_age_days': 90,
    'password_reuse_prevention': 5
}

# Placeholder for setting the password policy
# Azure AD password policies are typically set via the Azure portal or PowerShell
print("Password policy should be set via Azure AD B2C or Conditional Access Policies.")

GCP (Google Cloud Client Library for Python)

Install Google Cloud IAM Library: Ensure you have the Google Cloud IAM library installed:
```
pip install google-cloud-iam
```

Create a Python Script to Set Password Policy: Use the following script to set a complex password policy in GCP IAM:

from google.cloud import iam_v1

# Initialize the IAM client
client = iam_v1.IAMClient()

# Define the password policy (Note: GCP IAM does not directly support password policies, typically managed via G Suite)
password_policy = {
    'minimum_length': 12,
    'require_uppercase': True,
    'require_lowercase': True,
    'require_numbers': True,
    'require_symbols': True,
    'max_age_days': 90,
    'password_reuse_prevention': 5
}

# Placeholder for setting the password policy
# GCP IAM password policies are typically managed via G Suite Admin SDK
print("Password policy should be set via G Suite Admin SDK.")

Summary

AWS: Use Boto3 to set a complex password policy directly.
Azure: Use Azure SDK for Python, but note that password policies are typically managed via Azure AD B2C or Conditional Access Policies.
GCP: Use Google Cloud IAM library, but note that password policies are typically managed via G Suite Admin SDK.

These scripts provide a starting point for ensuring complex password policies are enforced in your cloud environments.

Additional Reading:

https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Complex Password Policy Should Be Present

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

AWS (Boto3)

Azure (Azure SDK for Python)

GCP (Google Cloud Client Library for Python)

Summary

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: