Ensure Alibaba Cloud RAM password policy requires at least one number

Error: Alibaba Cloud RAM password policy does not have a number

Bridgecrew Policy ID: BC_ALI_IAM_2
Checkov Check ID: CKV_ALI_14
Severity: MEDIUM

Alibaba Cloud RAM password policy does not have a number

Description

This policy identifies Alibaba Cloud accounts that do not have a number in the password policy. As a security best practice, configure a strong password policy for secure access to the Alibaba Cloud console.

Fix - Runtime

Alibaba Cloud Portal

  1. Log in to Alibaba Cloud Portal
  2. Go to Resource Access Management (RAM) service
  3. In the left-side navigation pane, click on 'Settings'
  4. In the 'Security Settings' tab, In the 'Password Strength Settings' Section, Click on 'Edit Password Rule'
  5. In the 'Required Elements in Password' field, select 'Numbers'
  6. Click on 'OK'
  7. Click on 'Close'

Fix - Buildtime

Terraform

resource "alicloud_ram_account_password_policy" "pass" {
  minimum_password_length      = 14
  require_lowercase_characters = false
  require_uppercase_characters = true
  require_numbers              = true
  require_symbols              = true
  hard_expiry                  = true
  max_password_age             = 14
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}