Password Without Reuse Prevention

  • Query id: 6f5f5444-1422-495f-81ef-24cefd61ed2c
  • Query name: Password Without Reuse Prevention
  • Platform: Ansible
  • Severity: Medium
  • Category: Best Practices
  • URL: Github

Description

Password policy password_reuse_prevention doesn't exist or is equal to 0
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Password policy for AWS account
  community.aws.iam_password_policy:
    state: present
    min_pw_length: 8
    require_symbols: false
    require_numbers: true
    require_uppercase: true
    require_lowercase: true
    allow_pw_change: true
    pw_max_age: 60
    pw_expire: false
- name: Password policy for AWS account2
  community.aws.iam_password_policy:
    state: present
    min_pw_length: 8
    require_symbols: false
    require_numbers: true
    require_uppercase: true
    require_lowercase: true
    allow_pw_change: true
    pw_max_age: 60
    password_reuse_prevent: 0
    pw_expire: false
- name: Password policy for AWS account3
  community.aws.iam_password_policy:
    state: present
    min_pw_length: 8
    require_symbols: false
    require_numbers: true
    require_uppercase: true
    require_lowercase: true
    allow_pw_change: true
    pw_max_age: 60
    pw_expire: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Password policy for AWS account
  community.aws.iam_password_policy:
    state: present
    min_pw_length: 8
    require_symbols: false
    require_numbers: true
    require_uppercase: true
    require_lowercase: true
    allow_pw_change: true
    pw_max_age: 60
    pw_reuse_prevent: 5
    pw_expire: false
- name: Password policy for AWS account2
  community.aws.iam_password_policy:
    state: present
    min_pw_length: 8
    require_symbols: false
    require_numbers: true
    require_uppercase: true
    require_lowercase: true
    allow_pw_change: true
    pw_max_age: 60
    password_reuse_prevent: 5
    pw_expire: false
- name: Password policy for AWS account3
  community.aws.iam_password_policy:
    state: present
    min_pw_length: 8
    require_symbols: false
    require_numbers: true
    require_uppercase: true
    require_lowercase: true
    allow_pw_change: true
    pw_max_age: 60
    prevent_reuse: 5
    pw_expire: false