Ram Account Password Policy Not Required Minimum Length

• Query id: a9dfec39-a740-4105-bbd6-721ba163c053
• Query name: Ram Account Password Policy Not Required Minimum Length
• Platform: Terraform
• Severity: Low
• Category: Secret Management
• CWE: 521
• URL: Github

Description

Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}

Positive test num. 2 - tf file

resource "alicloud_ram_account_password_policy" "corporate" {
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 14
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 14
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}