IAM Password Without Lowercase Letter

  • Query id: f4cf35d6-da92-48de-ab70-57be2b2e6497
  • Query name: IAM Password Without Lowercase Letter
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Best Practices
  • URL: Github

Description

IAM Password should have at least one lowercase letter
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  myuser:
    Type: AWS::IAM::User
    Properties:
      Path: "/"
      LoginProfile:
        Password: MY@SSW0RD12EDE
      Policies:
      - PolicyName: giveaccesstoqueueonly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sqs:*
            Resource:
            - !GetAtt myqueue.Arn
          - Effect: Deny
            Action:
            - sqs:*
            NotResource:
            - !GetAtt myqueue.Arn
      - PolicyName: giveaccesstotopiconly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sns:*
            Resource:
            - !Ref mytopic
          - Effect: Deny
            Action:
            - sns:*
            NotResource:
            - !Ref mytopic
Positive test num. 2 - json file
{
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "MY@SSW0RD12EDE"
        },
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ],
                  "Resource": [
                    "myqueue.Arn"
                  ]
                },
                {
                  "NotResource": [
                    "myqueue.Arn"
                  ],
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ]
                }
              ]
            }
          },
          {
            "PolicyName": "giveaccesstotopiconly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sns:*"
                  ],
                  "Resource": [
                    "mytopic"
                  ]
                },
                {
                  "Action": [
                    "sns:*"
                  ],
                  "NotResource": [
                    "mytopic"
                  ],
                  "Effect": "Deny"
                }
              ]
            }
          }
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  myuser:
    Type: AWS::IAM::User
    Properties:
      Path: "/"
      LoginProfile:
        Password: myP@ssW0rdrwawdasd
      Policies:
      - PolicyName: giveaccesstoqueueonly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sqs:*
            Resource:
            - !GetAtt myqueue.Arn
          - Effect: Deny
            Action:
            - sqs:*
            NotResource:
            - !GetAtt myqueue.Arn
      - PolicyName: giveaccesstotopiconly
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - sns:*
            Resource:
            - !Ref mytopic
          - Effect: Deny
            Action:
            - sns:*
            NotResource:
            - !Ref mytopic
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rdrwawdasd"
        },
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ],
                  "Resource": [
                    "myqueue.Arn"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ],
                  "NotResource": [
                    "myqueue.Arn"
                  ]
                }
              ]
            }
          },
          {
            "PolicyName": "giveaccesstotopiconly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sns:*"
                  ],
                  "Resource": [
                    "mytopic"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sns:*"
                  ],
                  "NotResource": [
                    "mytopic"
                  ]
                }
              ]
            }
          }
        ]
      }
    }
  }
}