Logo of Trend Micro

RAM Password Policy Enforces Password Expiration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-012

Ensure that your Resource Access Management (RAM) users are using a strong password policy that enforces password expiration with a defined threshold of 90 days or less.

Security

Enforcing RAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Alibaba Cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.

Audit

To determine if your RAM user password policy policy enforces password expiration, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 In the Password Strength Settings section, check the Password Validity Period attribute value to determine the password expiration date (in days) configured for your password policy. If the number of days set for the Password Validity Period attribute is greater than 90, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Using Alibaba Cloud CLI

01 Run GetPasswordPolicy command (OSX/Linux/UNIX) to describe the RAM user password policy configured for your Alibaba Cloud account: 

aliyun ram GetPasswordPolicy

02 The command output should return the user password policy in JSON format: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 8,
		"RequireLowercaseCharacters": false,
		"RequireNumbers": false,
		"PasswordReusePrevention": 0,
		"MaxPasswordAge": 365,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": false,
		"RequireSymbols": false
	}
}

Check the "MaxPasswordAge" attribute value to determine the password expiration date (in number of days) configured for your password policy. If the "MaxPasswordAge" value is greater than 90, the RAM user password policy configured for your Alibaba Cloud account is not compliant.

Remediation / Resolution

To enforce password expiration with a threshold of 90 days or less for your RAM user passwords, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Settings.

04 Select the Security Settings tab to access the security settings available for your RAM identities.

05 Choose Edit from the Password Strength Settings section.

06 Use Password Validity Period to limit the password validity period to 90 days or less. This will enforce the RAM users to use a compliant expiration date for their passwords. Choose OK to apply the configuration changes.

Using Alibaba Cloud CLI

01 Run SetPasswordPolicy command (OSX/Linux/UNIX) to update the user password policy configured for your Alibaba Cloud account in order to set the password validity period to a maximum of 90 days: 

aliyun ram SetPasswordPolicy
  --MaxPasswordAge 90

02 The command output should return the modified user password policy: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PasswordPolicy": {
		"MinimumPasswordLength": 14,
		"RequireLowercaseCharacters": true,
		"RequireNumbers": true,
		"PasswordReusePrevention": 5,
		"MaxPasswordAge": 90,
		"MaxLoginAttemps": 0,
		"HardExpiry": false,
		"RequireUppercaseCharacters": true,
		"RequireSymbols": true
	}
}

References

Publication date Feb 26, 2024

Related AlibabaCloud-RAM rules