Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Description

RAM password policies can temporarily block logon after several incorrect logon attempts within an hour. It is recommended that the password policy is set to temporarily block logon after 5 incorrect logon attempts within an hour.

Remediation

Perform the following to set the password policy as expected:

Using the management console:

  1. Logon to RAM console.
  2. Choose Settings.
  3. In the Password section, click Modify.
  4. In the Max Attempts field, check the box next to Enable and enter 5 in the field.
  5. Click OK.

Using the CLI:

aliyun ram SetPasswordPolicy --MaxLoginAttempts 5

Default Value:

The default password policy does not define Max Attempts.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_1_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_1_14 --share

SQL

This control uses a named query:

select
  'acs:ram::' || a.account_id as resource,
  case
    when max_login_attempts <= 5 then 'ok'
    else 'alarm'
  end as status,
  case
    when max_login_attempts is null then 'Max login attempts not set.'
    else 'Max login attempts set to ' || max_login_attempts || '.'
  end as reason
  , a.account_id as account_id
from
  alicloud_account as a
  left join alicloud_ram_password_policy as pol on a.account_id = pol.account_id;

Tags

category = Compliance
cis = true
cis_item_id = 1.14
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/RAM