Secure Your Oracle Database Passwords in AWS RDS With a Password Verification Function
Enforce strong password policies for Oracle databases on AWS RDS using built-in or custom verification functions via the rdsadmin package.
Join the DZone community and get the full member experience.
Join For FreeProtecting database access through strong password policies is a cornerstone of security in any environment. When deploying Oracle databases on AWS RDS, enforcing password complexity is essential, but the approach differs slightly from on-premises Oracle environments. AWS provides two primary ways to enforce password complexity in RDS Oracle: using the standard ORA_STIG_VERIFY_FUNCTION
or a custom user-defined verification function.
This article provides a detailed, step-by-step guide for implementing both methods to help secure Oracle database passwords in AWS RDS.
Why Password Verification Matters
Password verification functions ensure that users adhere to organization-defined security policies for password creation. These functions typically enforce:
- Minimum password length
- Inclusion of uppercase/lowercase characters
- Use of numbers and special characters
- Prevention of dictionary words or username-based passwords
On AWS RDS for Oracle, password verification must be registered using the rdsadmin
package, unlike on-prem Oracle where direct creation is allowed.
Option 1: Use the AWS-Provided Standard Verification Function
AWS RDS for Oracle includes a built-in password verification function named ORA_STIG_VERIFY_FUNCTION
, which aligns with the U.S. Department of Defense STIG standards.
Steps
Create a Profile Using the Built-in Function
CREATE PROFILE stig_profile LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 10
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_VERIFY_FUNCTION
ORA_STIG_VERIFY_FUNCTION;
Assign the Profile to a User
ALTER USER db_user PROFILE stig_profile;
Test Password Complexity
Try altering the password with a weak password to verify that complexity enforcement works:
ALTER USER db_user IDENTIFIED BY "simple"; -- This should fail due to policy violation.
Option 2: Create a Custom Password Verification Function
If your organization requires custom password rules, you can define a function and register it via the AWS rdsadmin
package.
A Step-by-Step Guide
Define the Function Using the rdsadmin Utility
Use the rdsadmin.rdsadmin_password_verify.create_verify_function
procedure to register a custom function.
The following example creates a function named CUSTOM_PASSWORD_FUNCTION
. It enforces the following rules:
- The password must be at least 12 characters long.
- It ust contain at least 2 uppercase characters.
- It must include at least 1 digit and 1 special character.
- It must not contain the
@
character.
BEGIN rdsadmin.rdsadmin_password_verify.create_verify_function(p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION',
p_min_length => 12,
p_min_uppercase => 2,
p_min_digits => 1,
p_min_special => 1,
p_disallow_at_sign => true);
END; /
Parameter name | Data type | Default | Required | Description |
---|---|---|---|---|
|
varchar2 |
— |
Yes |
The name for your custom function. This function is created for you in the SYS schema. You assign this function to user profiles. |
|
number |
8 |
No |
The minimum number of characters required. |
|
number |
256 |
No |
The maximum number of characters allowed. |
|
number |
1 |
No |
The minimum number of letters required. |
|
number |
0 |
No |
The minimum number of uppercase letters required. |
|
number |
0 |
No |
The minimum number of lowercase letters required. |
|
number |
1 |
No |
The minimum number of digits required. |
|
number |
0 |
No |
The minimum number of special characters required. |
|
number |
3 |
No |
The minimum number of different characters required between the old and new passwords. |
|
boolean |
true |
No |
Set to |
|
boolean |
true |
No |
Set to |
|
boolean |
true |
No |
Set to |
|
boolean |
true |
No |
Set to |
|
boolean |
false |
No |
Set to |
|
boolean |
false |
No |
Set to |
To see the text of your verification function, run the following:
COL TEXT FORMAT a150
SELECT TEXT FROM
DBA_SOURCE WHERE OWNER = 'SYS'
AND NAME = 'CUSTOM_PASSWORD_FUNCTION' ORDER BY LINE;
Step 2: Associate the Function With a User Profile
Assign your custom function to the DEFAULT
or another user-defined profile:
ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;
To view which user profiles are linked to the custom function:
SELECT * FROM DBA_PROFILES
WHERE RESOURCE_NAME = 'PASSWORD'
AND LIMIT = 'CUSTOM_PASSWORD_FUNCTION';
To list all profiles and the password verification functions they are associated with:
SELECT * FROM DBA_PROFILES
WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION';
Sample output:
PROFILE RESOURCE_NAME RESOURCE LIMIT
--------- ------------------------- -------- --------------------------
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD CUSTOM_PASSWORD_FUNCTION
RDSADMIN PASSWORD_VERIFY_FUNCTION PASSWORD NULL
Step 3: Assign the Profile to a User
ALTER USER example_user PROFILE DEFAULT;
This step ensures that the user is now governed by the rules defined in the custom password verification function.
Best Practices for Password Management in AWS RDS Oracle
- Avoid default users: Do not use
admin
,system
, orsys
for application access. - Use IAM and Secrets Manager: Integrate AWS Secrets Manager for secure password storage and rotation.
- Audit logs: Enable CloudTrail and CloudWatch for tracking login attempts and failed access.
- Enforce expiry and lock policies: Use parameters like
PASSWORD_LIFE_TIME
andFAILED_LOGIN_ATTEMPTS
. - Rotate passwords automatically: Leverage automation tools or AWS Lambda for periodic password changes.
Conclusion
Securing database access in the cloud requires thoughtful implementation of password management policies. With AWS RDS for Oracle, you have the flexibility to use either AWS-provided STIG-compliant password checks or create tailored password validation functions. Remember, while the concepts may mirror on-premises Oracle, the implementation differs in AWS and requires using rdsadmin
utilities.
By following these practices, you ensure a more secure and compliant cloud database environment.
Opinions expressed by DZone contributors are their own.
Comments