A Reflex rule for ensuring the account password policy remains in a secure state.
To learn more about Account Password Policies, see the AWS Documentation.
For more information on changing Account Password Policies, see the AWS Documentation on updating Account Password Policies.
To get started using Reflex, check out the Reflex Documentation.
To use this rule either add it to your reflex.yaml configuration file:
rules:
aws:
- reflex-aws-account-password-policy-insecure:
configuration:
minimum_password_length: 10
require_symbols: False
require_numbers: True
require_uppercase_characters: True
require_lowercase_characters: True
allow_users_to_change_password: True
max_password_age: 365
password_reuse_prevention: 1
hard_expiry: False
version: latest
or add it directly to your Terraform:
module "account-password-policy-insecure" {
source = "git::https://github.com/reflexivesecurity/reflex-aws-account-password-policy-insecure.git?ref=v0.2.0"
sns_topic_arn = module.central-sns-topic.arn
reflex_kms_key_id = module.reflex-kms-key.key_id
minimum_password_length = "10"
require_symbols = "False"
require_numbers = "True"
require_uppercase_characters = "True"
require_lowercase_characters = "True"
allow_users_to_change_password = "True"
max_password_age = "365"
password_reuse_prevention = "1"
hard_expiry = "False"
mode = "remediate"
}
Note: The sns_topic_arn and reflex_kms_key_id example values shown here assume you generated resources with reflex build. If you are using the Terraform on its own you need to provide your own valid values.
This rule has the following configuration options:
- mode
-
Sets the rule to operate in
detectorremediatemode.Required: No
Type: string
Possible values:
detect|remediateDefault:
detect - minimum_password_length
-
Sets the minimum number of characters allowed in an IAM user password.
Required: No
Type: integer
Possible values: 6 - 128
Default: 8
- require_symbols
-
Sets whether IAM user passwords must contain at least one of the following non-alphanumeric characters:
! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
Required: No
Type: boolean
Possible values:
True|FalseDefault:
True - require_numbers
-
Sets whether IAM user passwords must contain at least one numeric character (0 to 9).
Required: No
Type: boolean
Possible values:
True|FalseDefault:
True - require_uppercase_characters
-
Sets whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
Required: No
Type: boolean
Possible values:
True|FalseDefault:
True - require_lowercase_characters
-
Sets whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
Required: No
Type: boolean
Possible values:
True|FalseDefault:
True - allow_users_to_change_password
-
Sets whether all IAM users in your account are able to use the AWS Management Console to change their own passwords.
Required: No
Type: boolean
Possible values:
True|FalseDefault:
True - max_password_age
-
Sets the number of days that an IAM user password is valid. If you do not specify a value, then the operation uses the default value of 0. The result is that IAM user passwords never expire.
Required: No
Type: integer
Possible values: 1 - 1095
Default: 0
- password_reuse_prevention
-
Sets the number of previous passwords that IAM users are prevented from reusing. If you do not specify a value, then the default value of 0 is used. The result is that IAM users are not prevented from reusing previous passwords.
Required: No
Type: integer
Possible values: 1 - 24
Default: 0
- hard_expiry
-
Prevents IAM users from setting a new password after their password has expired. The IAM user cannot be accessed until an administrator resets the password.
Required: No
Type: boolean
Possible values:
True|FalseDefault:
False
If you are interested in contributing, please review our contribution guide.
This Reflex rule is made available under the MPL 2.0 license. For more information view the LICENSE