From 2c6cfffe247d7fb722fa4f168f5eca73e01f7fdd Mon Sep 17 00:00:00 2001 From: Tom Plisson Date: Tue, 12 Mar 2024 08:47:22 +0100 Subject: [PATCH] Updating PC-AWS-IAM-9 policy's RQL --- policies/AWS-IAM-Password-policy-is-unsecure.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/AWS-IAM-Password-policy-is-unsecure.json b/policies/AWS-IAM-Password-policy-is-unsecure.json index af6d41c3..d7f8459c 100644 --- a/policies/AWS-IAM-Password-policy-is-unsecure.json +++ b/policies/AWS-IAM-Password-policy-is-unsecure.json @@ -7,7 +7,7 @@ "name": "AWS IAM Password policy is unsecure", "description": "Checks to ensure that IAM password policy is in place for the cloud accounts. As a security best practice, customers must have strong password policies in place. This policy ensures password policies are set with all following options:\n- Minimum Password Length\n- At least one Uppercase letter\n- At least one Lowercase letter\n- At least one Number\n- At least one Symbol/non-alphanumeric character\n- Users have permission to change their own password\n- Password expiration period\n- Password reuse\n- Password expiration requires administrator reset", "rule.criteria": "1e0076af-0ccd-4f1c-bba5-ac92964a5e6b", - "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-account-password-policy' AND json.rule = 'requireNumbers contains false and requireSymbols contains false and expirePasswords contains false and allowUsersToChangePassword contains false and requireLowercaseCharacters contains false and requireUppercaseCharacters contains false and maxPasswordAge does not exist and passwordReusePrevention does not exist and minimumPasswordLength==6'", + "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-account-password-policy' AND json.rule = 'isDefaultPolicy is false or requireNumbers contains false or requireSymbols contains false or expirePasswords contains false or allowUsersToChangePassword contains false or requireLowercaseCharacters contains false or requireUppercaseCharacters contains false or maxPasswordAge does not exist or passwordReusePrevention does not exist or minimumPasswordLength less than 14'", "recommendation": "1. Login to AWS Console and navigate to the 'IAM' Service\n2. Click on 'Account Settings'\n3. Under 'Password Policy', select and set all the options\n4. Click on 'Apply password policy'", "remediable": true, "remediation.cliScriptTemplate": "aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-numbers --require-symbols --allow-users-to-change-password --password-reuse-prevention 24 --max-password-age 90",