Logo of Trend Micro

RAM Password Policy with at Least One Lowercase Letter

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-007

Ensure that your Resource Access Management (RAM) users are using a password policy that requires at least one lowercase letter in order to enforce creating strong user passwords.

Security

Enforcing RAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Alibaba Cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks. The default RAM password policy does not enforce any element in a user password.

Audit

To determine if your password policy enforces at least one lowercase letter for RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 In the Password Strength Settings section, check the Required Elements in Password attribute value to determine if the password policy enforces at least one lowercase letter for RAM user passwords. If the value of the Required Elements in Password attribute does not contain Lowercase Letters, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Using Alibaba Cloud CLI

01 Run GetPasswordPolicy command (OSX/Linux/UNIX) to describe the RAM user password policy configured for your Alibaba Cloud account: 

aliyun ram GetPasswordPolicy

02 The command output should return the user password policy in JSON format: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": false,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": false,
		"RequireSymbols": false
	}
}

Check the "RequireLowercaseCharacters" attribute value to determine if your current password policy enforces at least one lowercase letter for RAM user passwords. If the "RequireLowercaseCharacters" value is set to false, as shown in the example above, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Remediation / Resolution

To enforce at least one lowercase letter for your RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 Choose Edit from the Password Strength Settings section.

06 Select the Lowercase Letters setting checkbox from Required Elements in Password section and choose OK to apply the configuration changes.

Using Alibaba Cloud CLI

01 Run SetPasswordPolicy command (OSX/Linux/UNIX) to update the user password policy configured for your Alibaba Cloud account in order to require RAM users to include at least one lowercase letter in their password pattern: 

aliyun ram SetPasswordPolicy 
  --RequireLowercaseCharacters true

02 The command output should return the modified user password policy: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": true,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": true,
		"RequireSymbols": false
	}
}

03 Repeat steps no. 1 and 2 to disable console logon for each inactive RAM user available within your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules