Logo of Trend Micro

Configure Password Retry Constraint Policy for RAM Users

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-005

Ensure that your Resource Access Management (RAM) users are using a strong password policy that is configured to temporarily block logon after several incorrect logon attempts. Trend Vision One™ - Cloud Posture provides you with the capability to define the maximum number of login attempts (between 1 and 32), upon enabling this Trend Vision One™ - Cloud Posture rule.

Security

Enforcing RAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Alibaba Cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.

Audit

To determine if your password policy is configured to limit the number of login attempts, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Trend Vision One™ account, access the Configure Password Retry Constraint Policy for RAM Users Trend Vision One™ - Cloud Posture rule settings, and identify the maximum number of login attempts configured for your RAM user password policy.

02 Sign in to your Alibaba Cloud account.

03 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

04 In the left navigation panel, under Identities, choose Settings.

05 Select the Security Settings tab to access the security settings available for your RAM identities.

06 In the Password Strength Settings section, check the Password Retry Constraint Policy attribute value to determine the password retry constraint policy configured for your RAM user password policy. If Password Retry Constraint Policy is set to a value greater than the one defined in the rule settings identified at step no. 1, or Password Retry Constraint Policy is set to Disable, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Using Alibaba Cloud CLI

01 Sign in to your Trend Vision One™ account, access the Configure Password Retry Constraint Policy for RAM Users Trend Vision One™ - Cloud Posture rule settings, and identify the maximum number of login attempts configured for your RAM user password policy.

02 Run GetPasswordPolicy command (OSX/Linux/UNIX) to describe the RAM user password policy configured for your Alibaba Cloud account: 

aliyun ram GetPasswordPolicy

03 The command output should return the user password policy in JSON format: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": false,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 365,
		"MaxLoginAttemps": 10,
		"HardExpiry": false,
		"RequireUppercaseCharacters": false,
		"RequireSymbols": false
	}
}

Check the "MaxLoginAttemps" attribute value to determine the password retry constraint policy configured for your password policy. If "MaxLoginAttemps" is set to a value greater than the one configured in the rule settings identified at step no. 1, the RAM user password policy configured for your Alibaba Cloud account is not compliant. When "MaxLoginAttemps" is set to 0, the password retry constraint policy is disabled, therefore, your password policy does not meet the recommended security standards.

Remediation / Resolution

To ensure that your password policy is configured to limit the number of login attempts, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 Choose Edit from the Password Strength Settings section.

06 Use the Password Retry Constraint Policy setting to limit the number of login attempts for your account. To ensure compliance, configure Password Retry Constraint Policy based on the number of login attempts defined in the Trend Vision One™ - Cloud Posture rule settings.

Using Alibaba Cloud CLI

01 Run SetPasswordPolicy command (OSX/Linux/UNIX) to update the user password policy configured for your Alibaba Cloud account in order to limit the number of login attempts for your account. For compliance, use the value defined in the Trend Vision One™ - Cloud Posture rule settings to configure the --MaxLoginAttemps command parameter: 

aliyun ram SetPasswordPolicy 
  --MaxLoginAttemps 5

02 The command output should return the modified user password policy: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 14,
		"RequireLowercaseCharacters": true,
		"RequireNumbers": true,
		"PasswordReusePrevention": 5,
		"MaxPasswordAge": 90,
		"MaxLoginAttemps": 5,
		"HardExpiry": false,
		"RequireUppercaseCharacters": true,
		"RequireSymbols": true
	}
}

03 Repeat steps no. 1 and 2 to disable console logon for each inactive RAM user available within your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules