Table: alicloud_ram_password_policy - Query Alibaba Cloud RAM Password Policies using SQL

Alibaba Cloud's Resource Access Management (RAM) is a service that helps manage user identities and access control. You can create and manage multiple identities under your Alibaba Cloud account, and control the access of these identities to your Alibaba Cloud resources. RAM allows you to grant fine-grained permissions and authorized access methods to users under your Alibaba Cloud account in a secure and controllable manner.

Table Usage Guide

The alicloud_ram_password_policy table provides insights into password policies within Alibaba Cloud Resource Access Management (RAM). As a security analyst, you can explore password policy details through this table, including minimum password length, password complexity requirements, and password change frequency. Use it to ensure that password policies comply with your organization's security standards and to identify any potential security risks.

Examples

Ensure RAM password policy requires at least one uppercase letter (CIS v1.1.7)

Assess the elements within your Alicloud RAM password policy to verify if it mandates the inclusion of at least one uppercase letter. This aids in enhancing password security, aligning with the CIS v1.1.7 benchmark.

select
  require_uppercase_characters,
  case
    require_uppercase_characters
    when true then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

select
  require_uppercase_characters,
  case
    require_uppercase_characters
    when 1 then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

Ensure RAM password policy requires at least one lowercase letter (CIS v1.1.8)

Assess the security of your password policy by determining if it necessitates the inclusion of at least one lowercase letter. This can help enhance your system's protection by ensuring passwords are more complex and harder to guess.

select
  require_lowercase_characters,
  case
    require_lowercase_characters
    when true then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

select
  require_lowercase_characters,
  case
    require_lowercase_characters
    when 1 then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

Ensure RAM password policy requires at least one symbol (CIS v1.1.9)

This example helps in assessing the security of your password policy by determining whether it mandates the inclusion of at least one symbol. This is crucial for enhancing password strength and reducing the risk of unauthorized access.

select
  require_symbols,
  case
    require_symbols
    when true then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

select
  require_symbols,
  case
    require_symbols
    when 1 then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

Ensure RAM password policy require at least one number (CIS v1.1.10)

Assess the elements within your Alicloud RAM password policy to ensure it mandates the inclusion of at least one numerical value, providing a simple pass or fail status. This aids in maintaining robust security standards as per the CIS v1.1.10 guidelines.

select
  require_numbers,
  case
    require_numbers
    when true then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

select
  require_numbers,
  case
    require_numbers
    when 1 then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

Ensure RAM password policy requires minimum length of 14 or greater (CIS v1.1.11)

Determine the strength of your password policy by checking if it requires a minimum length of 14 characters or more. This can help ensure your system's security by enforcing robust password requirements.

select
  minimum_password_length,
  case
    minimum_password_length >= 14
    when true then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

select
  minimum_password_length,
  case
    when minimum_password_length >= 14 then 'pass'
    else 'fail'
  end as status
from
  alicloud_ram_password_policy;

Control examples

Schema for alicloud_ram_password_policy

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form, e.g. connection_name.
account_id	text	The Alicloud Account ID in which the resource is located.
hard_expiry	boolean	Indicates whether the password has expired.
max_login_attempts	bigint	The maximum number of permitted logon attempts within one hour. The number of logon attempts is reset to zero if a RAM user changes the password.
max_password_age	bigint	The number of days for which a password is valid. Default value: 0. The default value indicates that the password never expires.
minimum_password_length	bigint	The minimum required number of characters in a password.
password_reuse_prevention	bigint	The number of previous passwords that the user is prevented from reusing. Default value: 0. The default value indicates that the RAM user is not prevented from reusing previous passwords.
region	text	The Alicloud region in which the resource is located.
require_lowercase_characters	boolean	Indicates whether a password must contain one or more lowercase letters.
require_numbers	boolean	Indicates whether a password must contain one or more digits.
require_symbols	boolean	Indicates whether a password must contain one or more special characters.
require_uppercase_characters	boolean	Indicates whether a password must contain one or more uppercase letters.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_ram_password_policy