From 7fe8a31f0051cc30a9aba5545aebfcab27409579 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Thu, 11 Mar 2021 10:46:12 +0100 Subject: [PATCH 1/2] Add IAM password policy changes --- ...-10-17-how-to-achieve-cis-benchmark-compliance.adoc | 10 +++------- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 8 ++++++++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc index 971b6bb34..fbad6e1eb 100644 --- a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc +++ b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc @@ -190,7 +190,7 @@ In the subsequent sections, we'll review the recommendations and discuss how to [[configure_authentication]] ==== Configure authentication One of main areas of concern in the IAM section relates to authentication. The Benchmark has recommendations for IAM -users and the root user account, password complexity, and multi-factor authentication. There is more than one way to +users and the root user account, password policy, and multi-factor authentication. There is more than one way to authenticate to AWS, and the method you choose determines how to implement these recommendations in your code. ===== Federated authentication using SAML @@ -393,7 +393,7 @@ them by other IAM policies. Attach a policy like this one to every group in your account. ==== Password policy -The IAM password policy is perhaps the most straightforward and explicit set of recommendations (1.8-1.9) in the entire +The IAM password policy is perhaps the most straightforward and explicit set of recommendations (1.8-1.9 and 1.12) in the entire Benchmark. You can invoke link:https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html[the Terraform `aws_iam_account_password_policy` resource] to implement the recommended policy. @@ -403,10 +403,6 @@ For example: ---- resource "aws_iam_account_password_policy" "aws_foundations_benchmark_policy" { minimum_password_length = 14 - require_numbers = true - require_symbols = true - require_lowercase_characters = true - require_uppercase_characters = true allow_users_to_change_password = true hard_expiry = true max_password_age = 90 @@ -908,7 +904,7 @@ variable "aws_region" { variable "minimum_password_length" { description = "Minimum length to require for user passwords." type = number - default = 20 + default = 14 } ---- diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index b266d782d..f637abdb6 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -70,6 +70,14 @@ between versions 1.2.0 and 1.3.0: - 4.15: Ensure a log metric filter and alarm exists for AWS Organizations changes - 5.1: Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports +==== Deleted recommendations +Version 1.3.0 removed some recommendations, but they only affect the IAM password policy: + +- 1.5: Ensure IAM password policy requires at least one uppercase letter +- 1.6: Ensure IAM password policy require at least one lowercase letter +- 1.7: Ensure IAM password policy require at least one symbol +- 1.8: Ensure IAM password policy require at least one number + ==== New Gruntwork modules vs. existing modules To achieve compliance with the newly added 10 recommendations listed above, we created four new modules in the Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modules. Namely: recommendations 1.19, 1.21, From b5b84d710e5d4e85d5cf6b2149de0fe331c42933 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Thu, 11 Mar 2021 11:24:33 +0100 Subject: [PATCH 2/2] Update service catalog minimum version --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index f637abdb6..0c0d780b2 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -151,7 +151,7 @@ compatible with CIS AWS v1.3.0: |1.20, 2.1.1, 2.1.2 |terraform-aws-cis-service-catalog -|https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.10.0[v0.10.0] +|https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.11.1[v0.11.1] |3.10, 3.11, 4.15, 5.1 |terraform-aws-service-catalog