IAM password without minimum length

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 1bc1c685-e593-450e-88fb-19db4c82aa1d

Cloud Provider: AWS

Platform: Terraform

Severity: Low

Category: Best Practices

Learn More

Description

IAM password policies should enforce a minimum password length to ensure that user passwords are not easily guessable or vulnerable to brute-force attacks. If the minimum_password_length attribute is omitted or set to a low value, such as less than 14, users could create short and weak passwords that are more susceptible to compromise. Without this safeguard, unauthorized users could more easily gain access to sensitive cloud resources, increasing the risk of account takeover and data breaches. Enforcing a strong minimum password length is a critical security measure to help protect AWS accounts and resources from unauthorized access.

Compliant Code Examples

resource "aws_iam_account_password_policy" "negative1" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
}

Non-Compliant Code Examples

resource "aws_iam_account_password_policy" "positive1" {
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
}

resource "aws_iam_account_password_policy" "positive2" {
  minimum_password_length        = 3
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
}