github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_password_reuse.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/framework" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPasswordReuse = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0056", 15 Provider: providers.AWSProvider, 16 Service: "iam", 17 ShortCode: "no-password-reuse", 18 Frameworks: map[framework.Framework][]string{ 19 framework.Default: nil, 20 framework.CIS_AWS_1_2: {"1.10"}, 21 framework.CIS_AWS_1_4: {"1.9"}, 22 }, 23 Summary: "IAM Password policy should prevent password reuse.", 24 Impact: "Password reuse increase the risk of compromised passwords being abused", 25 Resolution: "Prevent password reuse in the policy", 26 Explanation: `IAM account password policies should prevent the reuse of passwords. 27 28 The account password policy should be set to prevent using any of the last five used passwords.`, 29 Links: []string{ 30 "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details", 31 }, 32 Terraform: &scan.EngineMetadata{ 33 GoodExamples: terraformNoPasswordReuseGoodExamples, 34 BadExamples: terraformNoPasswordReuseBadExamples, 35 Links: terraformNoPasswordReuseLinks, 36 RemediationMarkdown: terraformNoPasswordReuseRemediationMarkdown, 37 }, 38 Severity: severity.Medium, 39 }, 40 func(s *state.State) (results scan.Results) { 41 42 policy := s.AWS.IAM.PasswordPolicy 43 if policy.Metadata.IsUnmanaged() { 44 return 45 } 46 47 if policy.ReusePreventionCount.LessThan(5) { 48 results.Add( 49 "Password policy allows reuse of recent passwords.", 50 policy.ReusePreventionCount, 51 ) 52 } else { 53 results.AddPassed(&policy) 54 } 55 return 56 }, 57 )