question: AwsSolutions-COG1 doesn't check requireLowercase configuration #1578
Comments
clueleaf
added
guidance
|
I checked the documentation from where the rule is sourced from. The authors didn't include it in the rule description nor does it seem to be required in the reviews. This seems like a very arbitrary requirement, but I'll inquire further about it. |
|
Conventional user behavior is to select a password in all lowercase characters. To mitigate dictionary attacks, organizations mandate at least one uppercase character and some added non-letter characters. So offering a check of lowercase characters seems like an unnecessary check. |
|
That partly makes sense to me. However, I still think requiring lowercase characters can make passwords more secure, because if the user already includes lowercase characters in their password, Additionally, IAM.7 control in Security Hub, which is included in AWS Foundational Security Best Practices, also requires at least one lowercase character by default. (Although IAM.7 is applied to IAM configuration, I don't think there are any technical difference between IAM passwords and Cognito passwords.) EDIT: Obviously, it is not cdk-nag check but the password registration process that an error could happen if the user's password does not align with the password policy. Update my comment. Sorry about the confusion. |
|
Thanks. These are persuasive points. I'll bring them into conversation with my team. |
General Issue
AwsSolutions-COG1 doesn't check requireLowercase configuration
The Question
AwsSolutions-COG1 rule checks
requireUppercase,requireDigitsandrequireSymbols. But it doesn't checkrequireLowercase.Any reasons for this?
https://github.com/cdklabs/cdk-nag/blob/main/src/rules/cognito/CognitoUserPoolStrongPasswordPolicy.ts
cdk-nag version
2.28.14
Language
Typescript
Other information
No response
The text was updated successfully, but these errors were encountered: