class Terracop::Cop::Aws::BadPasswordPolicy
This cop warns against a password policy that goes against industry best practices. Ideally the password policy should be strict enough to require the use of a password manager, and never expire passwords.
@example
# bad resource "aws_iam_account_password_policy" "policy" { minimum_password_length = 4 require_lowercase_characters = true require_numbers = true allow_users_to_change_password = false max_password_age = 7 } # good resource "aws_iam_account_password_policy" "policy" { minimum_password_length = 20 require_lowercase_characters = true require_uppercase_characters = true require_numbers = true require_symbols = true allow_users_to_change_password = true }
Public Instance Methods
check()
click to toggle source
# File lib/terracop/cop/aws/bad_password_policy.rb, line 35 def check check_length check_characters check_age end
check_age()
click to toggle source
# File lib/terracop/cop/aws/bad_password_policy.rb, line 63 def check_age age = attributes['max_password_age'] if age && age < 90 offense('Expiring passwords is discouraged. If you really have ' \ 'to, do not do it more than once every 3 months.') end end
check_characters()
click to toggle source
# File lib/terracop/cop/aws/bad_password_policy.rb, line 48 def check_characters if !attributes['require_uppercase_characters'] || !attributes['require_lowercase_characters'] offense('Require both lowercase and uppercase characters.') end unless attributes['require_numbers'] offense('Require numbers in passwords.') end unless attributes['require_symbols'] offense('Require symbols in passwords.') end end
check_length()
click to toggle source
# File lib/terracop/cop/aws/bad_password_policy.rb, line 41 def check_length length = attributes['minimum_password_length'] if length && length < 14 offense('Set the minimum password length policy to at least 14.') end end