v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 1.5 Ensure IAM password policy expires passwords within 365 days

Description

IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 365 and are changed immediately based on events.

Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other.10 In these cases, the next password can be predicted based on the previous one (incrementing a number used in the password for example). Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them. Instead, immediate password changes should be based on key events including, but not limited to:

  • Indication of compromise
  • Change of user roles
  • When a user leaves the organization

Not only does changing passwords every few weeks or months frustrate the user, it’s been suggested that it does more harm than good, because it could lead to bad practices by the user such as adding a character to the end of their existing password.

In addition, we also recommend a yearly password change. This is primarily because for all their good intentions users will share credentials across accounts. Therefore, even if a breach is publicly identified, the user may not see this notification, or forgetcthey have an account on that site. This could leave a shared credential vulnerable indefinitely. Having an organizational policy of a 1-year (annual) password expiration is a reasonable compromise to mitigate this with minimal user burden.

Remediation

OCI IAM without Identity Domains - Identity Cloud Service (IDCS)

  1. Login to IDCS Admin Console.
  2. Expand the Navigation Drawer, click Settings, and then click Password Policy.
  3. Click on Change Your Password Policy button.
  4. Update the number of days configured in Expires after setting to 365.

OCI IAM with Identity Domains

  1. Go to Identity Domains: https://cloud.oracle.com/identity/domains/.
  2. Select the Compartment the Domain to remediate is in.
  3. Click on the Domain to remediate.
  4. Click on Settings.
  5. Click on Password policy to remediate.
  6. Click Edit password rules.
  7. Change Expires after (days) to 365.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_5 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 1.5
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v2.0.0
plugin = oci
service = OCI/Identity