# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 --- description: | ### Document Name - ASR-CIS_1.2.0_1.5 ## What does this document do? This document establishes a default password policy. ## Security Standards and Controls * CIS 1.5 - 1.11 ## Input Parameters * Finding: (Required) Security Hub finding details JSON * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. ## Output Parameters * Remediation.Output ## Documentation Links * [CIS v1.2.0 1.5](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5) * [CIS v1.2.0 1.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6) * [CIS v1.2.0 1.7](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7) * [CIS v1.2.0 1.8](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8) * [CIS v1.2.0 1.9](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.9) * [CIS v1.2.0 1.10](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.10) * [CIS v1.2.0 1.11](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.11) schemaVersion: '0.3' assumeRole: '{{ AutomationAssumeRole }}' outputs: - ParseInput.AffectedObject - Remediation.Output parameters: Finding: type: StringMap description: The input from the Orchestrator Step function for the 1.5 finding AutomationAssumeRole: type: String description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$' mainSteps: - name: ParseInput action: 'aws:executeScript' outputs: - Name: FindingId Selector: $.Payload.finding_id Type: String - Name: ProductArn Selector: $.Payload.product_arn Type: String - Name: AffectedObject Selector: $.Payload.object Type: StringMap inputs: InputPayload: Finding: '{{Finding}}' parse_id_pattern: '' expected_control_id: [ '1.5', '1.6', '1.7', '1.8', '1.9', '1.10', '1.11' ] Runtime: python3.8 Handler: parse_event Script: |- %%SCRIPT=common/parse_input.py%% isEnd: false - name: Remediation action: 'aws:executeAutomation' isEnd: false inputs: DocumentName: ASR-SetIAMPasswordPolicy RuntimeParameters: AllowUsersToChangePassword: True HardExpiry: True MaxPasswordAge: 90 MinimumPasswordLength: 14 RequireSymbols: True RequireNumbers: True RequireUppercaseCharacters: True RequireLowercaseCharacters: True PasswordReusePrevention: 24 AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/SO0111-SetIAMPasswordPolicy' - name: UpdateFinding action: 'aws:executeAwsApi' inputs: Service: securityhub Api: BatchUpdateFindings FindingIdentifiers: - Id: '{{ParseInput.FindingId}}' ProductArn: '{{ParseInput.ProductArn}}' Note: Text: 'Established a baseline password policy using the AWSConfigRemediation-SetIAMPasswordPolicy runbook.' UpdatedBy: 'ASR-CIS_1.2.0_1.5' Workflow: Status: RESOLVED description: Update finding isEnd: true