Logo of Trend Micro

RAM Password Policy Prevents Password Reuse

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-003

Ensure that your Resource Access Management (RAM) users are using a strong password policy that enforces the prevention of reusing RAM user passwords. Trend Vision One™ provides you with the capability to define your own password history check policy upon enabling this Trend Vision One™ - Cloud Posture rule. You can set the **PasswordReusePrevention** parameter to a value between 1 and 24.

Security

Enforcing RAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Alibaba Cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks. The default RAM password policy does not prevent password reuse.

Audit

To determine if your password policy enforces the prevention of reusing RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Trend Vision One™ account, access the RAM Password Policy Prevents Password Reuse Trend Vision One™ - Cloud Posture rule settings, and identify the password history check policy configured for your RAM user password policy.

02 Sign in to your Alibaba Cloud account.

03 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

04 In the left navigation panel, under Identities, choose Settings.

05 Select the Security Settings tab to access the security settings available for your RAM identities.

06 In the Password Strength Settings section, check the Password History Check Policy attribute value to determine if the password policy enforces the prevention of reusing RAM user passwords. If the Password History Check Policy value is less than the PasswordReusePrevention value defined in the rule settings identified at step no. 1, or Password History Check Policy is set to Disable, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Using Alibaba Cloud CLI

01 Sign in to your Trend Vision One™ account, access the RAM Password Policy Prevents Password Reuse Trend Vision One™ - Cloud Posture rule settings, and identify the password history check policy configured for your RAM user password policy.

02 Run GetPasswordPolicy command (OSX/Linux/UNIX) to describe the RAM user password policy configured for your Alibaba Cloud account: 

aliyun ram GetPasswordPolicy

03 The command output should return the user password policy in JSON format: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": false,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": false,
		"RequireSymbols": false
	}
}

Check the "PasswordReusePrevention" attribute value to determine if the current password policy enforces the prevention of reusing RAM user passwords. If the "PasswordReusePrevention" value is less than the configurable value defined in the rule settings identified at step no. 1, the RAM user password policy configured for your Alibaba Cloud account is not compliant. The value 0, as shown in the example above, indicates that the password history check is disabled, therefore, your password policy does not meet the recommended security standards.

Remediation / Resolution

To enforce the prevention of reusing RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 Choose Edit from the Password Strength Settings section.

06 Use the Password History Check Policy setting to configure password reuse prevention for your account. To ensure compliance, configure Password History Check Policy based on the policy defined in the Trend Vision One™ - Cloud Posture rule settings. Choose OK to apply the configuration changes.

Using Alibaba Cloud CLI

01 Run SetPasswordPolicy command (OSX/Linux/UNIX) to update the RAM user password policy configured for your Alibaba Cloud account in order to prevent password reuse. For compliance, use the password history check policy defined in the Trend Vision One™ - Cloud Posture rule settings to configure the --PasswordReusePrevention command parameter: 

aliyun ram SetPasswordPolicy 
  --PasswordReusePrevention 5

02 The command output should return the modified user password policy: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 14,
		"RequireLowercaseCharacters": true,
		"RequireNumbers": true,
		"PasswordReusePrevention": 5,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": true,
		"RequireSymbols": true
	}
}

03 Repeat steps no. 1 and 2 to disable console logon for each inactive RAM user available within your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules