github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/set_max_password_age.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/framework" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckSetMaxPasswordAge = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0062", 15 Provider: providers.AWSProvider, 16 Service: "iam", 17 ShortCode: "set-max-password-age", 18 Frameworks: map[framework.Framework][]string{ 19 framework.Default: nil, 20 framework.CIS_AWS_1_2: {"1.11"}, 21 }, 22 Summary: "IAM Password policy should have expiry less than or equal to 90 days.", 23 Impact: "Long life password increase the likelihood of a password eventually being compromised", 24 Resolution: "Limit the password duration with an expiry in the policy", 25 Explanation: `IAM account password policies should have a maximum age specified. 26 27 The account password policy should be set to expire passwords after 90 days or less.`, 28 Links: []string{ 29 "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details", 30 }, 31 Terraform: &scan.EngineMetadata{ 32 GoodExamples: terraformSetMaxPasswordAgeGoodExamples, 33 BadExamples: terraformSetMaxPasswordAgeBadExamples, 34 Links: terraformSetMaxPasswordAgeLinks, 35 RemediationMarkdown: terraformSetMaxPasswordAgeRemediationMarkdown, 36 }, 37 Severity: severity.Medium, 38 }, 39 func(s *state.State) (results scan.Results) { 40 policy := s.AWS.IAM.PasswordPolicy 41 if policy.Metadata.IsUnmanaged() { 42 return 43 } 44 45 if policy.MaxAgeDays.GreaterThan(90) { 46 results.Add( 47 "Password policy allows a maximum password age of greater than 90 days.", 48 policy.MaxAgeDays, 49 ) 50 } else { 51 results.AddPassed(&policy) 52 } 53 return 54 }, 55 )