Ensure IAM password policy requires at least one uppercase letter (Scored)
Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.
Rationale: Setting a password complexity policy increases account resiliency against brute force login attempts.
Medium
AWS_CIS_1_5
Perform the following to set the password policy as prescribed: Via AWS Console
- Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
- Go to IAM Service on the AWS Console 20 | P a g e
- Click on Account Settings on the Left Pane
- Check "Requires at least one uppercase letter"
- Click "Apply password policy" Via CLI
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.
This map can be used to trigger a auto remediation for the password policy.
The Map needs to be imported inside an existing or new Kaholo Project.
The AWS_CIS_1_5 map currently has the following map design:
Make sure that the Map Webhook Trigger is configured with the following configuration:
- The Configuration setting needs to be configured with LaceworkConfig to make sure the Configuration LaceworkConfig is used when the map is triggered.
- The Plugin setting needs to be configured with the Lacework Webhook Plugin kaholo-trigger-lacework
- For the Method setting you need to select Lacework Alert
- The Variable Event type needs to be configured with Value Compliance
- The Variable Recommendation ID needs to be configured with Value AWS_CIS_1_5.
- The Variable Event Severity needs to be configured with the Value Any or Medium
- Make sure to enable the Checkbox Include Higher Severities.
This configuration will make sure that this map is only triggered if the rec_id of the Webhook payload is equal to the AWS_CIS_1_5 Event ID.
By default the map is using the LaceworkConfig configurations that are imported as part of the map.
By default the map has the following configurations:
{
"name": "LaceworkConfiguration",
"rec_id": "AWS_CIS_1_5",
"violationdescription": "Ensure IAM password policy requires at least one uppercase letter",
"eventuuid": "1268288c-a0b9-47c9-814f-f4195514f4e4",
"reportuuid": "44f37362-f1fb-447b-8723-941943b28d26",
"autoremediationviacli": "true",
"sendslackmessagesforremediation": "true",
"awsaccountid": "950194951070",
"reporttype": "AWS_CIS_S3"
}
Make sure you configure the following configurations inside the LaceworkConfig Configuration of the map
- eventuuid: Make sure that the uuid used here is the uuid of the Get event details object inside the map. Due to the reimport of the Map the uuid of the event object could have changed. To check the uuid you can go to the Design of the map, open the Get event details building block.
Inside the configuration of the Get event details building block you will find the uuid:
- reportuuid: Make sure that the uuid used here is the uuid of the Get report details object inside the map. Due to the reimport of the Map the uuid of the event object could have changed. To check the uuid you can go to the Design of the map, open the Get report details building block.
Inside the configuration of the Get report details building block you will find the uuid:
For the Auto Remediation the map currently has a single Command Line object that can be used and extended to define Auto Remediation for this map. This can be enabled by configuring autoremediation to true inside the configuration of the map. For now the map will only echo the change of the password policy. You can change it to be enabled if you remove the echo command in front of the aws cli trigger
echo aws iam update-account-password-policy --require-uppercase-characters
-
rec_id: This shouldn't be changed. The Policy ID will be shown as part of the slack output messages and to check if the event or the report has a root account violating this policy ID.
-
violationdescription: This setting is used to send details about the event inside the slack output message. Feel free to change it for your needs.
-
For the Slack building block Remediated you can configure a Slack Webhook URL that you have to implement inside the Kaholo Vault before you can select it.
It will send out a slack message to the configured Webhook. We recommend to configure it similar to the Webhook you use within Lacework as an alert channel so you can see the Auto Remediation effect right after the alert was send by Lacework.
If you don't have Slack or don't need Slack messages feel free to simply remove both Slack objects from your map.
- sendslackmessagesforremediation (Optional): you can disable within the LaceworkConfig via the setting equals false to not send slack Slack messages for a root account that is violating this policy.
There is no need to wait for Lacework sending the Webhook Alert for the generated Event when you want to test the map. If you plan to test it immediately, you can trigger the map by using a simple curl command that will send the necessary information or you can manually start the map, so it will use the latest AWS report instead of an event.
Before you can trigger the webhook you need to have an event generated within your Lacework instance. Please make sure you run a compliance report right after you created a test S3 bucket that is violating this policy.
Events are generated every hour after the compliance report was finished. As soon as you got an event we recommend using the Event Information to create an example webhook trigger inside your terminal using the following environment variables. Make sure to update it with the information from the Event you did generate.
export EVENTTITLE="New Violations"
export EVENTTYPE=Compliance
export EVENTTIMESTAMP="27 Jan 2021 16:00 GMT"
export EVENTSOURCE=AWSCompliance
export EVENTID=11
export EVENTSEVERITY=1
export WEBHOOKURL=https://mykaholoinstance.kaholo.io/webhook/lacework/alert
export LACEWORKINSTANCE=mylaceworkinstance
export EVENTDESCRIPTION="AWS Account 112233445566 (lacework-test) : AWS_CIS_1_5 Ensure IAM password policy requires at least one uppercase letter
export REC_ID=AWS_CIS_1_5
You need to replace the following before you apply the environment variables:
- EVENTID with the EventID that was generated inside the Lacework environment.
- WEBHOOKURL with your Kaholo Webhook Url. Normally kaholo is listening on port 3000 and the URL path for the webhook alerting is /webhook/lacework/alert.
- LACEWORKINSTANCE your Lacework instance where you created that event.
- EVENTDESCRIPTION replace the AWS Account with your environment specific AWS Account ID.
With that you can trigger the webhook inside kaholo by using the following curl command:
curl -X POST -H 'Content-type: application/json' --data '{"event_title": "'"$EVENTTITLE"'", "event_link": "https://'"$LACEWORKINSTANCE"'.lacework.net/ui/investigation/recents/EventDossier-'"$EVENTID"'", "lacework_account": "'"$LACEWORKINSTANCE"'", "event_source": "'"$EVENTSOURCE"'", "event_description":"'"$EVENTDESCRIPTION"'", "event_timestamp":"'"$EVENTTIMESTAMP"'", "event_type": "Compliance", "event_id": "'"$EVENTID"'", "event_severity": "'"$EVENTSEVERITY"'", "rec_id": "'"$REC_ID"'"}' $WEBHOOKURL
We recommend to check the Execution Results when you give it a try. With that you make sure it will remediate the right S3 buckets before you enable the auto remediation.
The Map supports multiple AWS accounts for events send by Lacework. You need to make sure that you saved your AWS account access keys and the AWS secret access keys in the following format:
- AWS-ACCOUNT-ACCESS-KEY-ID_aws_access_key_id: example 12345678912_aws_access_key_id
- AWS-ACCOUNT-SECRET-ACCESS-KEY-ID_aws_secret_access_key_id: example 12345678912_aws_secret_access_key_id
We recommend to use the Map with the principals of least privilege to make sure the Auto Remediation account can only change the S3 Bucket ACL and the Resource Tags.
The Map is using (needs to be updated with least privilege)
The Map Version 1.0 (13th of January 2022) supports the following:
- Create a custom Auto Remediation.
- Sending Slack messages for the user accounts violating the policy
- Sending Slack messages if the user account is ignored.
- Adding information about the least privilege role necessary to execute this map.
- Adding Auto Remediation example with Lambda functions
- Adding Auto Remediation example with terraform
- Adding Auto Remediation example with pulumi