Control: 1.13 Ensure RAM password policy expires passwords within 90 days or less
Description
RAM password policies can require passwords to be expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.
Remediation
Perform the following to set the password policy as expected:
From Console
- Logon to RAM console.
- Choose
Identities > Settings. - In the
Password Strength Settingssection, clickEdit Password Rule. - In the
Password Validity Periodfield, enter<90>or a smaller number. - Click
OK.
From Command Line
aliyun ram SetPasswordPolicy --MaxPasswordAge 90
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_1_13Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_1_13 --shareSQL
This control uses a named query:
select 'acs:ram::' || a.account_id as resource, case when max_password_age <= 90 then 'ok' else 'alarm' end as status, case when max_password_age is null then 'Password expiration not set.' else 'Password expiration set to ' || max_password_age || ' days.' end as reason , a.account_id as account_idfrom alicloud_account as a left join alicloud_ram_password_policy as pol on a.account_id = pol.account_id;