Ensure Alibaba Cloud RAM password policy requires minimum length of 14 or greater

Error: Alibaba Cloud RAM password policy does not have a minimum of 14 characters

Bridgecrew Policy ID: BC_ALI_IAM_3
Checkov Check ID: CKV_ALI_13
Severity: MEDIUM

Alibaba Cloud RAM password policy does not have a minimum of 14 characters

Description

This policy identifies Alibaba Cloud accounts that do not have a minimum of 14 characters in the password policy. As a security best practice, configure a strong password policy for secure access to the Alibaba Cloud console.

Fix - Runtime

Alibaba Cloud Portal

  1. Log in to Alibaba Cloud Portal
  2. Go to Resource Access Management (RAM) service
  3. In the left-side navigation pane, click on 'Settings'
  4. In the 'Security Settings' tab, In the 'Password Strength Settings' Section, Click on 'Edit Password Rule'
  5. In the 'Password Length' field, enter 14 as the minimum number of characters for password complexity.
  6. Click on 'OK'
  7. Click on 'Close'

Fix - Buildtime - Terraform

resource "alicloud_ram_account_password_policy" "pass" {
  minimum_password_length      = 14
  require_lowercase_characters = false
  require_uppercase_characters = true
  require_numbers              = false
  require_symbols              = true
  hard_expiry                  = true
  max_password_age             = 14
  password_reuse_prevention    = 5
  max_login_attempts           = 3
}