DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

How does AI transform chaos engineering from an experiment into a critical capability? Learn how to effectively operationalize the chaos.

Data quality isn't just a technical issue: It impacts an organization's compliance, operational efficiency, and customer satisfaction.

Are you a front-end or full-stack developer frustrated by front-end distractions? Learn to move forward with tooling and clear boundaries.

Developer Experience: Demand to support engineering teams has risen, and there is a shift from traditional DevOps to workflow improvements.

Related

  • Serverless IAM: Implementing IAM in Serverless Architectures with Lessons from the Security Trenches
  • Secure IaC With a Shift-Left Approach
  • Monoliths, REST, and Spring Boot Sidecars: A Real Modernization Playbook
  • The Role of AI in Identity and Access Management for Organizations

Trending

  • How to Use Testcontainers With ScyllaDB
  • Kung Fu Commands: Shifu Teaches Po the Command Pattern with Java Functional Interfaces
  • AI Agents in PHP with Model Context Protocol
  • Integrating Apache Spark With Drools: A Loan Approval Demo
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Secure Your Oracle Database Passwords in AWS RDS With a Password Verification Function

Secure Your Oracle Database Passwords in AWS RDS With a Password Verification Function

Enforce strong password policies for Oracle databases on AWS RDS using built-in or custom verification functions via the rdsadmin package.

By 
arvind toorpu user avatar
arvind toorpu
DZone Core CORE ·
Jun. 10, 25 · Tutorial
Likes (1)
Comment
Save
Tweet
Share
838 Views

Join the DZone community and get the full member experience.

Join For Free

Protecting database access through strong password policies is a cornerstone of security in any environment. When deploying Oracle databases on AWS RDS, enforcing password complexity is essential, but the approach differs slightly from on-premises Oracle environments. AWS provides two primary ways to enforce password complexity in RDS Oracle: using the standard ORA_STIG_VERIFY_FUNCTION or a custom user-defined verification function. 

This article provides a detailed, step-by-step guide for implementing both methods to help secure Oracle database passwords in AWS RDS.

Why Password Verification Matters

Password verification functions ensure that users adhere to organization-defined security policies for password creation. These functions typically enforce:

  • Minimum password length
  • Inclusion of uppercase/lowercase characters
  • Use of numbers and special characters
  • Prevention of dictionary words or username-based passwords

On AWS RDS for Oracle, password verification must be registered using the rdsadmin package, unlike on-prem Oracle where direct creation is allowed.

Option 1: Use the AWS-Provided Standard Verification Function

AWS RDS for Oracle includes a built-in password verification function named ORA_STIG_VERIFY_FUNCTION, which aligns with the U.S. Department of Defense STIG standards.

Steps

Create a Profile Using the Built-in Function

PLSQL
 
CREATE PROFILE stig_profile LIMIT  
PASSWORD_LIFE_TIME 60  
PASSWORD_REUSE_TIME 365  
PASSWORD_REUSE_MAX 10  
FAILED_LOGIN_ATTEMPTS 5  
PASSWORD_VERIFY_FUNCTION 
ORA_STIG_VERIFY_FUNCTION;


Assign the Profile to a User

PLSQL
 
ALTER USER db_user PROFILE stig_profile;


Test Password Complexity

Try altering the password with a weak password to verify that complexity enforcement works:

SQL
 
ALTER USER db_user IDENTIFIED BY "simple"; -- This should fail due to policy violation.


Option 2: Create a Custom Password Verification Function

If your organization requires custom password rules, you can define a function and register it via the AWS rdsadmin package.

A Step-by-Step Guide

Define the Function Using the rdsadmin Utility

Use the rdsadmin.rdsadmin_password_verify.create_verify_function procedure to register a custom function.

The following example creates a function named CUSTOM_PASSWORD_FUNCTION. It enforces the following rules:

  • The password must be at least 12 characters long.
  • It ust contain at least 2 uppercase characters.
  • It must include at least 1 digit and 1 special character.
  • It must not contain the @ character.
PLSQL
 
BEGIN    rdsadmin.rdsadmin_password_verify.create_verify_function(p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION',         
                                                                  p_min_length           => 12,         
                                                                  p_min_uppercase        => 2,         
                                                                  p_min_digits           => 1,         
                                                                  p_min_special          => 1,        
                                                                  p_disallow_at_sign     => true); 
                                                                  END; /

More parameter details:
Parameter name Data type Default Required Description

p_verify_function_name

varchar2

—

Yes

The name for your custom function. This function is created for you in the SYS schema. You assign this function to user profiles.

p_min_length

number

8

No

The minimum number of characters required.

p_max_length

number

256

No

The maximum number of characters allowed.

p_min_letters

number

1

No

The minimum number of letters required.

p_min_uppercase

number

0

No

The minimum number of uppercase letters required.

p_min_lowercase

number

0

No

The minimum number of lowercase letters required.

p_min_digits

number

1

No

The minimum number of digits required.

p_min_special

number

0

No

The minimum number of special characters required.

p_min_different_chars

number

3

No

The minimum number of different characters required between the old and new passwords.

p_disallow_username

boolean

true

No

Set to true to disallow the user name in the password.

p_disallow_reverse

boolean

true

No

Set to true to disallow the reverse of the user name in the password.

p_disallow_db_name

boolean

true

No

Set to true to disallow the database or server name in the password.

p_disallow_simple_strings

boolean

true

No

Set to true to disallow simple strings as the password.

p_disallow_whitespace

boolean

false

No

Set to true to disallow white space characters in the password.

p_disallow_at_sign

boolean

false

No

Set to true to disallow the @ character in the password.


To see the text of your verification function, run the following:

PLSQL
 
COL TEXT FORMAT a150 
SELECT TEXT   FROM 
DBA_SOURCE  WHERE OWNER = 'SYS'    
AND NAME = 'CUSTOM_PASSWORD_FUNCTION' ORDER BY LINE;


Step 2: Associate the Function With a User Profile

Assign your custom function to the DEFAULT or another user-defined profile:

PLSQL
 
ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;


To view which user profiles are linked to the custom function:

SQL
 
SELECT * FROM DBA_PROFILES  
WHERE RESOURCE_NAME = 'PASSWORD'    
AND LIMIT = 'CUSTOM_PASSWORD_FUNCTION';


To list all profiles and the password verification functions they are associated with:

PLSQL
 
SELECT * FROM DBA_PROFILES 
WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION';


Sample output:

SQL
 
PROFILE    RESOURCE_NAME              RESOURCE  LIMIT
---------  -------------------------  --------  --------------------------
DEFAULT    PASSWORD_VERIFY_FUNCTION   PASSWORD  CUSTOM_PASSWORD_FUNCTION
RDSADMIN   PASSWORD_VERIFY_FUNCTION   PASSWORD  NULL


Step 3: Assign the Profile to a User

PLSQL
 
ALTER USER example_user PROFILE DEFAULT;


This step ensures that the user is now governed by the rules defined in the custom password verification function.

Best Practices for Password Management in AWS RDS Oracle

  • Avoid default users: Do not use admin, system, or sys for application access.
  • Use IAM and Secrets Manager: Integrate AWS Secrets Manager for secure password storage and rotation.
  • Audit logs: Enable CloudTrail and CloudWatch for tracking login attempts and failed access.
  • Enforce expiry and lock policies: Use parameters like PASSWORD_LIFE_TIME and FAILED_LOGIN_ATTEMPTS.
  • Rotate passwords automatically: Leverage automation tools or AWS Lambda for periodic password changes.

Conclusion

Securing database access in the cloud requires thoughtful implementation of password management policies. With AWS RDS for Oracle, you have the flexibility to use either AWS-provided STIG-compliant password checks or create tailored password validation functions. Remember, while the concepts may mirror on-premises Oracle, the implementation differs in AWS and requires using rdsadmin utilities.

By following these practices, you ensure a more secure and compliant cloud database environment.

AWS Lambda Oracle Database identity and access management

Opinions expressed by DZone contributors are their own.

Related

  • Serverless IAM: Implementing IAM in Serverless Architectures with Lessons from the Security Trenches
  • Secure IaC With a Shift-Left Approach
  • Monoliths, REST, and Spring Boot Sidecars: A Real Modernization Playbook
  • The Role of AI in Identity and Access Management for Organizations

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: