IAM User Without Password Reset
- Query id: a964d6e3-8e1e-4d93-8120-61fa640dd55a
- Query name: IAM User Without Password Reset
- Platform: CloudFormation
- Severity: Medium
- Category: Best Practices
- CWE: Ongoing
- URL: Github
Description¶
IAM User Login Profile should exist and have PasswordResetRequired property set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
PasswordResetRequired: false
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
newuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
topuser:
Type: AWS::IAM::User
Properties:
Path: "/"
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"myuser": {
"Properties": {
"Policies": [
{
"PolicyName": "giveaccesstoqueueonly",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"myqueue.Arn"
]
},
{
"Effect": "Deny",
"Action": [
"sqs:*"
],
"NotResource": [
"myqueue.Arn"
]
}
]
}
}
],
"Path": "/",
"LoginProfile": {
"Password": "myP@ssW0rd",
"PasswordResetRequired": false
}
},
"Type": "AWS::IAM::User"
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"newuser": {
"Type": "AWS::IAM::User",
"Properties": {
"Path": "/",
"LoginProfile": {
"Password": "myP@ssW0rd"
},
"Policies": [
{
"PolicyName": "giveaccesstoqueueonly",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"myqueue.Arn"
]
},
{
"Effect": "Deny",
"Action": [
"sqs:*"
],
"NotResource": [
"myqueue.Arn"
]
}
]
}
}
]
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"topuser": {
"Type": "AWS::IAM::User",
"Properties": {
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"myqueue.Arn"
],
"Effect": "Allow"
},
{
"Effect": "Deny",
"Action": [
"sqs:*"
],
"NotResource": [
"myqueue.Arn"
]
}
]
},
"PolicyName": "giveaccesstoqueueonly"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
PasswordResetRequired: true
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"myuser": {
"Type": "AWS::IAM::User",
"Properties": {
"Path": "/",
"LoginProfile": {
"Password": "myP@ssW0rd",
"PasswordResetRequired": true
},
"Policies": [
{
"PolicyName": "giveaccesstoqueueonly",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"myqueue.Arn"
]
},
{
"Effect": "Deny",
"Action": [
"sqs:*"
],
"NotResource": [
"myqueue.Arn"
]
}
]
}
}
]
}
}
}
}