Ram Account Password Policy Max Password Age Unrecommended

  • Query id: 2bb13841-7575-439e-8e0a-cccd9ede2fa8
  • Query name: Ram Account Password Policy Max Password Age Unrecommended
  • Platform: Terraform
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}
Positive test num. 2 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 92
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}
Positive test num. 3 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 0
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}