Logo of Trend Micro

Ensure RAM password policy requires minimum length of 14 or greater

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-006

Ensure that your Resource Access Management (RAM) users are using a password policy that requires minimum 14 characters for passwords in order to enforce creating strong user passwords.

Security

Enforcing RAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Alibaba Cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks. The default RAM password policy does not enforce any element in a user password.

Audit

To determine if your password policy enforces a minimum length of 14 characters for RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 In the Password Strength Settings section, check the Password Length attribute value to determine if the password policy requires minimum 14 characters for user passwords. If Password Length does not require a minimum length of 14 (e.g. 14 to 32 Characters), the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Using Alibaba Cloud CLI

01 Run GetPasswordPolicy command (OSX/Linux/UNIX) to describe the RAM user password policy configured for your Alibaba Cloud account: 

aliyun ram GetPasswordPolicy

02 The command output should return the user password policy in JSON format: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": false,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": false,
		"RequireSymbols": false
	}
}

Check the "MinimumPasswordLength" attribute value to determine if the password policy requires minimum 14 characters for user passwords. If the "MinimumPasswordLength" value is not set to 14 or to a greater number than 14, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Remediation / Resolution

To enforce a minimum length of 14 characters for your RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 Choose Edit from the Password Strength Settings section.

06 In the Password Length configuration box, enter 14 or a greater number, then choose OK to apply the configuration changes.

Using Alibaba Cloud CLI

01 Run SetPasswordPolicy command (OSX/Linux/UNIX) to update the user password policy configured for your Alibaba Cloud account in order to require a minimum of 14 characters for all RAM user passwords: 

aliyun ram SetPasswordPolicy 
  --MinimumPasswordLength 14

02 The command output should return the modified user password policy: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 14,
		"RequireLowercaseCharacters": true,
		"RequireNumbers": true,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": true,
		"RequireSymbols": true
	}
}

References

Publication date Feb 26, 2024

Related AlibabaCloud-RAM rules