Control: 1.13 Ensure RAM password policy expires passwords in 365 days or greater
Description
RAM password policies can require passwords to be expired after a given number of days. It is recommended that the password policy expire passwords in 365 days or greater.
Remediation
Perform the following to set the password policy as expected:
Using the management console:
- Logon to RAM console.
- Choose
Settings. - In the
Passwordsection, clickModify. - Check the box under
Max Age, enter 365 or a greater number up to 1095. - Click
OK.
Using the CLI:
aliyun ram SetPasswordPolicy --MaxPasswordAge 365
Default Value:
The default password policy does not define max age.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_1_13Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_1_13 --shareSQL
This control uses a named query:
select 'acs:ram::' || a.account_id as resource, case when max_password_age is null then 'alarm' when max_password_age >= 365 then 'ok' else 'alarm' end as status, case when max_password_age is null then 'Password expiration not set.' else 'Password expiration set to ' || max_password_age || ' days.' end as reason , a.account_id as account_idfrom alicloud_account as a left join alicloud_ram_password_policy as pol on a.account_id = pol.account_id;