Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question: AwsSolutions-COG1 doesn't check requireLowercase configuration #1578

Open
clueleaf opened this issue Jan 24, 2024 · 4 comments
Open

question: AwsSolutions-COG1 doesn't check requireLowercase configuration #1578

clueleaf opened this issue Jan 24, 2024 · 4 comments
Labels
guidance Question that needs advice or information.

Comments

@clueleaf
Copy link
Contributor

General Issue

AwsSolutions-COG1 doesn't check requireLowercase configuration

The Question

AwsSolutions-COG1 rule checks requireUppercase, requireDigits and requireSymbols. But it doesn't check requireLowercase.
Any reasons for this?
https://github.com/cdklabs/cdk-nag/blob/main/src/rules/cognito/CognitoUserPoolStrongPasswordPolicy.ts

cdk-nag version

2.28.14

Language

Typescript

Other information

No response
@clueleaf clueleaf added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Jan 24, 2024
@dontirun
Copy link
Collaborator

I checked the documentation from where the rule is sourced from. The authors didn't include it in the rule description nor does it seem to be required in the reviews. This seems like a very arbitrary requirement, but I'll inquire further about it.

@dontirun dontirun removed the needs-triage This issue or PR still needs to be triaged. label Jan 24, 2024
@braidoa
Copy link

braidoa commented May 13, 2024
edited
Loading

Conventional user behavior is to select a password in all lowercase characters. To mitigate dictionary attacks, organizations mandate at least one uppercase character and some added non-letter characters. So offering a check of lowercase characters seems like an unnecessary check.

@clueleaf
Copy link
Contributor Author

clueleaf commented May 14, 2024
edited
Loading

That partly makes sense to me.

However, I still think requiring lowercase characters can make passwords more secure, because if the user already includes lowercase characters in their password, the change of this rule requiring lowercase characters in password policy will not cause any problems. This rule will come to fail Password policy will cause error only if the user does not use any lowercase characters, which contradicts with the first assumption "Conventional user behavior is to select a password in all lowercase characters."

Additionally, IAM.7 control in Security Hub, which is included in AWS Foundational Security Best Practices, also requires at least one lowercase character by default. (Although IAM.7 is applied to IAM configuration, I don't think there are any technical difference between IAM passwords and Cognito passwords.)

EDIT: Obviously, it is not cdk-nag check but the password registration process that an error could happen if the user's password does not align with the password policy. Update my comment. Sorry about the confusion.

@braidoa
Copy link

braidoa commented May 14, 2024

Thanks. These are persuasive points. I'll bring them into conversation with my team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
guidance Question that needs advice or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dontirun @clueleaf @braidoa