detection.wiki

Detection rules › Panther

AWS Password Policy Complexity Guidelines

Severity
high
Compliance
CIS 1.5, 1.6, 1.7, 1.8, 1.9; PCI 8.2.3
Tags
AWS, Identity & Access Management, Credential Access:Brute Force, Configuration Required
Reference
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Source
github.com/panther-labs/panther-analysis

This policy validates that the account password policy enforces the recommended password complexity requirements.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1110 Brute Force

Rule body yaml

AnalysisType: policy
Filename: aws_password_policy_complexity_guidelines.py
PolicyID: "AWS.PasswordPolicy.ComplexityGuidelines"
DisplayName: "AWS Password Policy Complexity Guidelines"
Enabled: true
ResourceTypes:
  - AWS.PasswordPolicy
Tags:
  - AWS
  - Identity & Access Management
  - Credential Access:Brute Force
  - Configuration Required
Reports:
  CIS:
    - 1.5
    - 1.6
    - 1.7
    - 1.8
    - 1.9
  PCI:
    - 8.2.3
  MITRE ATT&CK:
    - TA0006:T1110
Severity: High
Description: >
  This policy validates that the account password policy enforces the recommended password complexity requirements.
Runbook: >
  https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-account-password-policy-enforces-complexity-guidelines
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Tests:
  - Name: Password Policy Does Not Require Lowercase Characters
    ExpectedResult: false
    Resource:
      {
        "AllowUsersToChangePassword": false,
        "AnyExist": true,
        "ExpirePasswords": true,
        "HardExpiry": false,
        "MaxPasswordAge": 90,
        "MinimumPasswordLength": 14,
        "PasswordReusePrevention": 24,
        "RequireLowercaseCharacters": false,
        "RequireNumbers": true,
        "RequireSymbols": true,
        "RequireUppercaseCharacters": true,
      }
  - Name: Password Policy Does Not Require Numbers
    ExpectedResult: false
    Resource:
      {
        "AllowUsersToChangePassword": false,
        "AnyExist": true,
        "ExpirePasswords": true,
        "HardExpiry": false,
        "MaxPasswordAge": 90,
        "MinimumPasswordLength": 14,
        "PasswordReusePrevention": 24,
        "RequireLowercaseCharacters": true,
        "RequireNumbers": false,
        "RequireSymbols": true,
        "RequireUppercaseCharacters": true,
      }
  - Name: Password Policy Does Not Require Symbols
    ExpectedResult: false
    Resource:
      {
        "AllowUsersToChangePassword": false,
        "AnyExist": true,
        "ExpirePasswords": true,
        "HardExpiry": false,
        "MaxPasswordAge": 90,
        "MinimumPasswordLength": 14,
        "PasswordReusePrevention": 24,
        "RequireLowercaseCharacters": true,
        "RequireNumbers": true,
        "RequireSymbols": false,
        "RequireUppercaseCharacters": true,
      }
  - Name: Password Policy Does Not Require Uppercase Characters
    ExpectedResult: false
    Resource:
      {
        "AllowUsersToChangePassword": false,
        "AnyExist": true,
        "ExpirePasswords": true,
        "HardExpiry": false,
        "MaxPasswordAge": 90,
        "MinimumPasswordLength": 14,
        "PasswordReusePrevention": 24,
        "RequireLowercaseCharacters": true,
        "RequireNumbers": true,
        "RequireSymbols": true,
        "RequireUppercaseCharacters": false,
      }
  - Name: Password Policy Enforces Insufficient Password Length
    ExpectedResult: false
    Resource:
      {
        "AllowUsersToChangePassword": false,
        "AnyExist": true,
        "ExpirePasswords": true,
        "HardExpiry": false,
        "MaxPasswordAge": 90,
        "MinimumPasswordLength": 8,
        "PasswordReusePrevention": 24,
        "RequireLowercaseCharacters": true,
        "RequireNumbers": true,
        "RequireSymbols": true,
        "RequireUppercaseCharacters": true,
      }
  - Name: Password Policy Meets All Complexity Requirements
    ExpectedResult: true
    Resource:
      {
        "AllowUsersToChangePassword": false,
        "AnyExist": true,
        "ExpirePasswords": true,
        "HardExpiry": false,
        "MaxPasswordAge": 90,
        "MinimumPasswordLength": 14,
        "PasswordReusePrevention": 24,
        "RequireLowercaseCharacters": true,
        "RequireNumbers": true,
        "RequireSymbols": true,
        "RequireUppercaseCharacters": true,
      }

Detection logic

Condition

not (RequireUppercaseCharacters not is_null and RequireLowercaseCharacters not is_null and RequireSymbols not is_null and RequireNumbers not is_null and  not not)

This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
MinimumPasswordLengthge14
MinimumPasswordLengthis_not_null(no value, null check)
RequireLowercaseCharactersis_null(no value, null check)
RequireNumbersis_null(no value, null check)
RequireSymbolsis_null(no value, null check)
RequireUppercaseCharactersis_null(no value, null check)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
RequireLowercaseCharactersis_null
  • (no value, null check)
RequireNumbersis_null
  • (no value, null check)
RequireSymbolsis_null
  • (no value, null check)
RequireUppercaseCharactersis_null
  • (no value, null check)