Secure Your Oracle Database Passwords in AWS RDS With a Password Verification Function

Protecting database access through strong password policies is a cornerstone of security in any environment. When deploying Oracle databases on AWS RDS, enforcing password complexity is essential, but the approach differs slightly from on-premises Oracle environments. AWS provides two primary ways to enforce password complexity in RDS Oracle: using the standard ORA_STIG_VERIFY_FUNCTION or a custom user-defined verification function. 

This article provides a detailed, step-by-step guide for implementing both methods to help secure Oracle database passwords in AWS RDS.

Why Password Verification Matters

Password verification functions ensure that users adhere to organization-defined security policies for password creation. These functions typically enforce:

• Minimum password length
• Inclusion of uppercase/lowercase characters
• Use of numbers and special characters
• Prevention of dictionary words or username-based passwords

On AWS RDS for Oracle, password verification must be registered using the rdsadmin package, unlike on-prem Oracle where direct creation is allowed.

Option 1: Use the AWS-Provided Standard Verification Function

AWS RDS for Oracle includes a built-in password verification function named ORA_STIG_VERIFY_FUNCTION, which aligns with the U.S. Department of Defense STIG standards.

Steps

Create a Profile Using the Built-in Function

CREATE PROFILE stig_profile LIMIT  
PASSWORD_LIFE_TIME 60  
PASSWORD_REUSE_TIME 365  
PASSWORD_REUSE_MAX 10  
FAILED_LOGIN_ATTEMPTS 5  
PASSWORD_VERIFY_FUNCTION 
ORA_STIG_VERIFY_FUNCTION;

Assign the Profile to a User

ALTER USER db_user PROFILE stig_profile;

Test Password Complexity

Try altering the password with a weak password to verify that complexity enforcement works:

ALTER USER db_user IDENTIFIED BY "simple"; -- This should fail due to policy violation.

Option 2: Create a Custom Password Verification Function

If your organization requires custom password rules, you can define a function and register it via the AWS rdsadmin package.

A Step-by-Step Guide

Define the Function Using the rdsadmin Utility

Use the rdsadmin.rdsadmin_password_verify.create_verify_function procedure to register a custom function.

The following example creates a function named CUSTOM_PASSWORD_FUNCTION. It enforces the following rules:

• The password must be at least 12 characters long.
• It ust contain at least 2 uppercase characters.
• It must include at least 1 digit and 1 special character.
• It must not contain the @ character.

BEGIN    rdsadmin.rdsadmin_password_verify.create_verify_function(p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION',         
                                                                  p_min_length           => 12,         
                                                                  p_min_uppercase        => 2,         
                                                                  p_min_digits           => 1,         
                                                                  p_min_special          => 1,        
                                                                  p_disallow_at_sign     => true); 
                                                                  END; /

To see the text of your verification function, run the following:

COL TEXT FORMAT a150 
SELECT TEXT   FROM 
DBA_SOURCE  WHERE OWNER = 'SYS'    
AND NAME = 'CUSTOM_PASSWORD_FUNCTION' ORDER BY LINE;

Step 2: Associate the Function With a User Profile

Assign your custom function to the DEFAULT or another user-defined profile:

ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;

To view which user profiles are linked to the custom function:

SELECT * FROM DBA_PROFILES  
WHERE RESOURCE_NAME = 'PASSWORD'    
AND LIMIT = 'CUSTOM_PASSWORD_FUNCTION';

To list all profiles and the password verification functions they are associated with:

SELECT * FROM DBA_PROFILES 
WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION';

Sample output:

PROFILE    RESOURCE_NAME              RESOURCE  LIMIT
---------  -------------------------  --------  --------------------------
DEFAULT    PASSWORD_VERIFY_FUNCTION   PASSWORD  CUSTOM_PASSWORD_FUNCTION
RDSADMIN   PASSWORD_VERIFY_FUNCTION   PASSWORD  NULL

Step 3: Assign the Profile to a User

ALTER USER example_user PROFILE DEFAULT;

This step ensures that the user is now governed by the rules defined in the custom password verification function.

Best Practices for Password Management in AWS RDS Oracle

• Avoid default users: Do not use admin, system, or sys for application access.
• Use IAM and Secrets Manager: Integrate AWS Secrets Manager for secure password storage and rotation.
• Audit logs: Enable CloudTrail and CloudWatch for tracking login attempts and failed access.
• Enforce expiry and lock policies: Use parameters like PASSWORD_LIFE_TIME and FAILED_LOGIN_ATTEMPTS.
• Rotate passwords automatically: Leverage automation tools or AWS Lambda for periodic password changes.

Conclusion

Securing database access in the cloud requires thoughtful implementation of password management policies. With AWS RDS for Oracle, you have the flexibility to use either AWS-provided STIG-compliant password checks or create tailored password validation functions. Remember, while the concepts may mirror on-premises Oracle, the implementation differs in AWS and requires using rdsadmin utilities.

By following these practices, you ensure a more secure and compliant cloud database environment.