cdklabs/cdk-nag

question: AwsSolutions-COG1 doesn't check requireLowercase configuration

Opened this issue · 4 comments

General Issue

AwsSolutions-COG1 doesn't check requireLowercase configuration

The Question

AwsSolutions-COG1 rule checks requireUppercase, requireDigits and requireSymbols. But it doesn't check requireLowercase.
Any reasons for this?
https://github.com/cdklabs/cdk-nag/blob/main/src/rules/cognito/CognitoUserPoolStrongPasswordPolicy.ts

cdk-nag version

2.28.14

Language

Typescript

Other information

No response

I checked the documentation from where the rule is sourced from. The authors didn't include it in the rule description nor does it seem to be required in the reviews. This seems like a very arbitrary requirement, but I'll inquire further about it.

Conventional user behavior is to select a password in all lowercase characters. To mitigate dictionary attacks, organizations mandate at least one uppercase character and some added non-letter characters. So offering a check of lowercase characters seems like an unnecessary check.

That partly makes sense to me.

However, I still think requiring lowercase characters can make passwords more secure, because if the user already includes lowercase characters in their password, the change of this rule requiring lowercase characters in password policy will not cause any problems. This rule will come to fail Password policy will cause error only if the user does not use any lowercase characters, which contradicts with the first assumption "Conventional user behavior is to select a password in all lowercase characters."

Additionally, IAM.7 control in Security Hub, which is included in AWS Foundational Security Best Practices, also requires at least one lowercase character by default. (Although IAM.7 is applied to IAM configuration, I don't think there are any technical difference between IAM passwords and Cognito passwords.)


EDIT: Obviously, it is not cdk-nag check but the password registration process that an error could happen if the user's password does not align with the password policy. Update my comment. Sorry about the confusion.

Thanks. These are persuasive points. I'll bring them into conversation with my team.