Logo of Trend Micro

Ensure RAM password policy requires at least one number

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-010

Ensure that your Resource Access Management (RAM) users are using a password policy that requires at least one number in order to enforce creating strong user passwords.

Security

Enforcing RAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Alibaba Cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks. The default RAM password policy does not enforce any element in a user password.

Audit

To determine if your password policy enforces at least one number for RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 In the Password Strength Settings section, check the Required Elements in Password attribute value to determine if the password policy enforces at least one number for RAM user passwords. If the value of the Required Elements in Password attribute does not contain Numbers, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Using Alibaba Cloud CLI

01 Run GetPasswordPolicy command (OSX/Linux/UNIX) to describe the RAM user password policy configured for your Alibaba Cloud account: 

aliyun ram GetPasswordPolicy

02 The command output should return the user password policy in JSON format: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": false,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": false,
		"RequireSymbols": false
	}
}

Check the "RequireNumbers" attribute value to determine if your current password policy enforces at least one number for RAM user passwords. If the "RequireNumbers" value is set to false, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Remediation / Resolution

To enforce at least one number for your RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 Choose Edit from the Password Strength Settings section.

06 Select the Numbers setting checkbox from Required Elements in Password section and choose OK to apply the configuration changes.

Using Alibaba Cloud CLI

01 Run SetPasswordPolicy command (OSX/Linux/UNIX) to update the user password policy configured for your Alibaba Cloud account in order to require RAM users to include at least one number in their password pattern: 

aliyun ram SetPasswordPolicy
  --RequireNumbers true

02 The command output should return the modified user password policy: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": true,
		"RequireNumbers": true,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 0,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": true,
		"RequireSymbols": true
	}
}

References

Publication date Feb 26, 2024

Related AlibabaCloud-RAM rules