RAM account password policy without reuse prevention

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RAM account password policy without reuse prevention

Metadata

Id: a8128dd2-89b0-464b-98e9-5d629041dfe0

Cloud Provider: Alicloud

Platform: Terraform

Severity: Medium

Category: Secret Management

Learn More

Provider Reference

Description

The RAM account password policy attribute password_reuse_prevention should be defined and set to 24 or less. If password_reuse_prevention is missing, the rule reports a MissingAttribute issue and recommends adding password_reuse_prevention = 24. If it is present but set to a value greater than 24, the rule reports an IncorrectValue issue and recommends replacing it with 24.

Compliant Code Examples

resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}

Non-Compliant Code Examples

resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  password_reuse_prevention    = 25
  max_login_attempts           = 3
}

resource "alicloud_ram_account_password_policy" "corporate" {
  minimum_password_length      = 9
  require_lowercase_characters = false
  require_uppercase_characters = false
  require_numbers              = false
  require_symbols              = false
  hard_expiry                  = true
  max_password_age             = 12
  max_login_attempts           = 3
}