Class: Terracop::Cop::Aws::BadPasswordPolicy

Inherits:

Base

• Object
• Base
• Terracop::Cop::Aws::BadPasswordPolicy

Defined in:

lib/terracop/cop/aws/bad_password_policy.rb

Overview

This cop warns against a password policy that goes against industry best practices. Ideally the password policy should be strict enough to require the use of a password manager, and never expire passwords.

Examples:

# bad
resource "aws_iam_account_password_policy" "policy" {
  minimum_password_length        = 4
  require_lowercase_characters   = true
  require_numbers                = true
  allow_users_to_change_password = false
  max_password_age               = 7
}

# good
resource "aws_iam_account_password_policy" "policy" {
  minimum_password_length        = 20
  require_lowercase_characters   = true
  require_uppercase_characters   = true
  require_numbers                = true
  require_symbols                = true
  allow_users_to_change_password = true
}

Instance Attribute Summary

Attributes inherited from Base

#attributes, #index, #name, #offenses, #type

Instance Method Summary

• #check ⇒ Object
• #check_age ⇒ Object
• #check_characters ⇒ Object
• #check_length ⇒ Object

Methods inherited from Base

config, cop_name, #human_name, #initialize, #offense, run

Constructor Details

This class inherits a constructor from Terracop::Cop::Base

Instance Method Details

#check ⇒ Object

# File 'lib/terracop/cop/aws/bad_password_policy.rb', line 35

def check
  check_length
  check_characters
  check_age
end

#check_age ⇒ Object

# File 'lib/terracop/cop/aws/bad_password_policy.rb', line 63

def check_age
  age = attributes['max_password_age']
  if age && age < 90
    offense('Expiring passwords is discouraged. If you really have ' \
            'to, do not do it more than once every 3 months.')
  end
end

#check_characters ⇒ Object

# File 'lib/terracop/cop/aws/bad_password_policy.rb', line 48

def check_characters
  if !attributes['require_uppercase_characters'] ||
     !attributes['require_lowercase_characters']
    offense('Require both lowercase and uppercase characters.')
  end

  unless attributes['require_numbers']
    offense('Require numbers in passwords.')
  end

  unless attributes['require_symbols']
    offense('Require symbols in passwords.')
  end
end

#check_length ⇒ Object

# File 'lib/terracop/cop/aws/bad_password_policy.rb', line 41

def check_length
  length = attributes['minimum_password_length']
  if length && length < 14
    offense('Set the minimum password length policy to at least 14.')
  end
end