Table: alicloud_ram_password_policy - Query Alibaba Cloud RAM Password Policies using SQL
Alibaba Cloud's Resource Access Management (RAM) is a service that helps manage user identities and access control. You can create and manage multiple identities under your Alibaba Cloud account, and control the access of these identities to your Alibaba Cloud resources. RAM allows you to grant fine-grained permissions and authorized access methods to users under your Alibaba Cloud account in a secure and controllable manner.
Table Usage Guide
The alicloud_ram_password_policy table provides insights into password policies within Alibaba Cloud Resource Access Management (RAM). As a security analyst, you can explore password policy details through this table, including minimum password length, password complexity requirements, and password change frequency. Use it to ensure that password policies comply with your organization's security standards and to identify any potential security risks.
Examples
Ensure RAM password policy requires at least one uppercase letter (CIS v1.1.7)
Assess the elements within your Alicloud RAM password policy to verify if it mandates the inclusion of at least one uppercase letter. This aids in enhancing password security, aligning with the CIS v1.1.7 benchmark.
select require_uppercase_characters, case require_uppercase_characters when true then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;select require_uppercase_characters, case require_uppercase_characters when 1 then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;Ensure RAM password policy requires at least one lowercase letter (CIS v1.1.8)
Assess the security of your password policy by determining if it necessitates the inclusion of at least one lowercase letter. This can help enhance your system's protection by ensuring passwords are more complex and harder to guess.
select require_lowercase_characters, case require_lowercase_characters when true then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;select require_lowercase_characters, case require_lowercase_characters when 1 then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;Ensure RAM password policy requires at least one symbol (CIS v1.1.9)
This example helps in assessing the security of your password policy by determining whether it mandates the inclusion of at least one symbol. This is crucial for enhancing password strength and reducing the risk of unauthorized access.
select require_symbols, case require_symbols when true then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;select require_symbols, case require_symbols when 1 then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;Ensure RAM password policy require at least one number (CIS v1.1.10)
Assess the elements within your Alicloud RAM password policy to ensure it mandates the inclusion of at least one numerical value, providing a simple pass or fail status. This aids in maintaining robust security standards as per the CIS v1.1.10 guidelines.
select require_numbers, case require_numbers when true then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;select require_numbers, case require_numbers when 1 then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;Ensure RAM password policy requires minimum length of 14 or greater (CIS v1.1.11)
Determine the strength of your password policy by checking if it requires a minimum length of 14 characters or more. This can help ensure your system's security by enforcing robust password requirements.
select minimum_password_length, case minimum_password_length >= 14 when true then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;select minimum_password_length, case when minimum_password_length >= 14 then 'pass' else 'fail' end as statusfrom alicloud_ram_password_policy;Control examples
- CIS v1.0.0 > 1 Identity and Access Management > 1.10 Ensure RAM password policy require at least one number
- CIS v1.0.0 > 1 Identity and Access Management > 1.11 Ensure RAM password policy requires minimum length of 14 or greater
- CIS v1.0.0 > 1 Identity and Access Management > 1.12 Ensure RAM password policy prevents password reuse
- CIS v1.0.0 > 1 Identity and Access Management > 1.13 Ensure RAM password policy expires passwords within 90 days or less
- CIS v1.0.0 > 1 Identity and Access Management > 1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
- CIS v1.0.0 > 1 Identity and Access Management > 1.7 Ensure RAM password policy requires at least one uppercase letter
- CIS v1.0.0 > 1 Identity and Access Management > 1.8 Ensure RAM password policy requires at least one lowercase letter
- CIS v1.0.0 > 1 Identity and Access Management > 1.9 Ensure RAM password policy require at least one symbol
Schema for alicloud_ram_password_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Alicloud Account ID in which the resource is located. |
| hard_expiry | boolean | Indicates whether the password has expired. | |
| max_login_attempts | bigint | The maximum number of permitted logon attempts within one hour. The number of logon attempts is reset to zero if a RAM user changes the password. | |
| max_password_age | bigint | The number of days for which a password is valid. Default value: 0. The default value indicates that the password never expires. | |
| minimum_password_length | bigint | The minimum required number of characters in a password. | |
| password_reuse_prevention | bigint | The number of previous passwords that the user is prevented from reusing. Default value: 0. The default value indicates that the RAM user is not prevented from reusing previous passwords. | |
| region | text | The Alicloud region in which the resource is located. | |
| require_lowercase_characters | boolean | Indicates whether a password must contain one or more lowercase letters. | |
| require_numbers | boolean | Indicates whether a password must contain one or more digits. | |
| require_symbols | boolean | Indicates whether a password must contain one or more special characters. | |
| require_uppercase_characters | boolean | Indicates whether a password must contain one or more uppercase letters. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloudYou can pass the configuration to the command with the --config argument:
steampipe_export_alicloud --config '<your_config>' alicloud_ram_password_policy