Secure Your Oracle Database Passwords in AWS RDS With a Password Verification Function

Enforce strong password policies for Oracle databases on AWS RDS using built-in or custom verification functions via the rdsadmin package.

arvind toorpu

CORE ·

Jun. 10, 25 · Tutorial

Likes (1)

Comment

Save

1.0K Views

Protecting database access through strong password policies is a cornerstone of security in any environment. When deploying Oracle databases on AWS RDS, enforcing password complexity is essential, but the approach differs slightly from on-premises Oracle environments. AWS provides two primary ways to enforce password complexity in RDS Oracle: using the standard ORA_STIG_VERIFY_FUNCTION or a custom user-defined verification function.

This article provides a detailed, step-by-step guide for implementing both methods to help secure Oracle database passwords in AWS RDS.

Why Password Verification Matters

Password verification functions ensure that users adhere to organization-defined security policies for password creation. These functions typically enforce:

Minimum password length
Inclusion of uppercase/lowercase characters
Use of numbers and special characters
Prevention of dictionary words or username-based passwords

On AWS RDS for Oracle, password verification must be registered using the rdsadmin package, unlike on-prem Oracle where direct creation is allowed.

Option 1: Use the AWS-Provided Standard Verification Function

AWS RDS for Oracle includes a built-in password verification function named ORA_STIG_VERIFY_FUNCTION, which aligns with the U.S. Department of Defense STIG standards.

Steps

Create a Profile Using the Built-in Function

    PLSQL
   
 

   CREATE PROFILE stig_profile LIMIT  
PASSWORD_LIFE_TIME 60  
PASSWORD_REUSE_TIME 365  
PASSWORD_REUSE_MAX 10  
FAILED_LOGIN_ATTEMPTS 5  
PASSWORD_VERIFY_FUNCTION 
ORA_STIG_VERIFY_FUNCTION;
  

Assign the Profile to a User

    PLSQL
   
   ALTER USER db_user PROFILE stig_profile;

Test Password Complexity

Try altering the password with a weak password to verify that complexity enforcement works:

    SQL
   
   ALTER USER db_user IDENTIFIED BY "simple"; -- This should fail due to policy violation.

Option 2: Create a Custom Password Verification Function

If your organization requires custom password rules, you can define a function and register it via the AWS rdsadmin package.

A Step-by-Step Guide

Define the Function Using the rdsadmin Utility

Use the rdsadmin.rdsadmin_password_verify.create_verify_function procedure to register a custom function.

The following example creates a function named CUSTOM_PASSWORD_FUNCTION. It enforces the following rules:

The password must be at least 12 characters long.
It ust contain at least 2 uppercase characters.
It must include at least 1 digit and 1 special character.
It must not contain the @ character.

    PLSQL
   
 

   BEGIN    rdsadmin.rdsadmin_password_verify.create_verify_function(p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION',         
                                                                  p_min_length           => 12,         
                                                                  p_min_uppercase        => 2,         
                                                                  p_min_digits           => 1,         
                                                                  p_min_special          => 1,        
                                                                  p_disallow_at_sign     => true); 
                                                                  END; /
  

More parameter details:

Parameter name	Data type	Default	Required	Description
`p_verify_function_name`	varchar2	—	Yes	The name for your custom function. This function is created for you in the SYS schema. You assign this function to user profiles.
`p_min_length`	number	8	No	The minimum number of characters required.
`p_max_length`	number	256	No	The maximum number of characters allowed.
`p_min_letters`	number	1	No	The minimum number of letters required.
`p_min_uppercase`	number	0	No	The minimum number of uppercase letters required.
`p_min_lowercase`	number	0	No	The minimum number of lowercase letters required.
`p_min_digits`	number	1	No	The minimum number of digits required.
`p_min_special`	number	0	No	The minimum number of special characters required.
`p_min_different_chars`	number	3	No	The minimum number of different characters required between the old and new passwords.
`p_disallow_username`	boolean	true	No	Set to `true` to disallow the user name in the password.
`p_disallow_reverse`	boolean	true	No	Set to `true` to disallow the reverse of the user name in the password.
`p_disallow_db_name`	boolean	true	No	Set to `true` to disallow the database or server name in the password.
`p_disallow_simple_strings`	boolean	true	No	Set to `true` to disallow simple strings as the password.
`p_disallow_whitespace`	boolean	false	No	Set to `true` to disallow white space characters in the password.
`p_disallow_at_sign`	boolean	false	No	Set to `true` to disallow the @ character in the password.

To see the text of your verification function, run the following:

    PLSQL
   
   COL TEXT FORMAT a150 
SELECT TEXT   FROM 
DBA_SOURCE  WHERE OWNER = 'SYS'    
AND NAME = 'CUSTOM_PASSWORD_FUNCTION' ORDER BY LINE;

Step 2: Associate the Function With a User Profile

Assign your custom function to the DEFAULT or another user-defined profile:

    PLSQL
   
   ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;

To view which user profiles are linked to the custom function:

    SQL
   
   SELECT * FROM DBA_PROFILES  
WHERE RESOURCE_NAME = 'PASSWORD'    
AND LIMIT = 'CUSTOM_PASSWORD_FUNCTION';

To list all profiles and the password verification functions they are associated with:

    PLSQL
   
   SELECT * FROM DBA_PROFILES 
WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION';

Sample output:

    SQL
   
   PROFILE    RESOURCE_NAME              RESOURCE  LIMIT
---------  -------------------------  --------  --------------------------
DEFAULT    PASSWORD_VERIFY_FUNCTION   PASSWORD  CUSTOM_PASSWORD_FUNCTION
RDSADMIN   PASSWORD_VERIFY_FUNCTION   PASSWORD  NULL

Step 3: Assign the Profile to a User

    PLSQL
   
   ALTER USER example_user PROFILE DEFAULT;

This step ensures that the user is now governed by the rules defined in the custom password verification function.

Best Practices for Password Management in AWS RDS Oracle

Avoid default users: Do not use admin, system, or sys for application access.
Use IAM and Secrets Manager: Integrate AWS Secrets Manager for secure password storage and rotation.
Audit logs: Enable CloudTrail and CloudWatch for tracking login attempts and failed access.
Enforce expiry and lock policies: Use parameters like PASSWORD_LIFE_TIME and FAILED_LOGIN_ATTEMPTS.
Rotate passwords automatically: Leverage automation tools or AWS Lambda for periodic password changes.

Conclusion

Securing database access in the cloud requires thoughtful implementation of password management policies. With AWS RDS for Oracle, you have the flexibility to use either AWS-provided STIG-compliant password checks or create tailored password validation functions. Remember, while the concepts may mirror on-premises Oracle, the implementation differs in AWS and requires using rdsadmin utilities.

By following these practices, you ensure a more secure and compliant cloud database environment.

AWS Lambda Oracle Database identity and access management

Opinions expressed by DZone contributors are their own.

Related

Trending