#!/usr/bin/env bash # Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy # of the License at http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software distributed # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_check110="1.10" CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" CHECK_SCORED_check110="SCORED" CHECK_TYPE_check110="LEVEL1" CHECK_SEVERITY_check110="Medium" CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check110="check110" CHECK_SERVICENAME_check110="iam" CHECK_RISK_check110='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.' CHECK_REMEDIATION_check110='Ensure "Number of passwords to remember" is set to 24.' CHECK_DOC_check110='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html' CHECK_CAF_EPIC_check110='IAM' check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null) if [[ $COMMAND110 ]];then if [[ $COMMAND110 -gt "23" ]];then textPass "Password Policy limits reuse" else textFail "Password Policy has weak reuse requirement (lower than 24)" fi else textFail "Password Policy missing reuse requirement" fi }