Ram Account Password Policy Not Required Minimum Length

  • Query id: a9dfec39-a740-4105-bbd6-721ba163c053
  • Query name: Ram Account Password Policy Not Required Minimum Length
  • Platform: Terraform
  • Severity: Low
  • Category: Secret Management
  • URL: Github

Description

Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}
Positive test num. 2 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 14
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 14
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}