From 600192ac8f4845e5d709f395cd8639ae5c5c626d Mon Sep 17 00:00:00 2001
From: Bill Monkman <bmonkman@gmail.com>
Date: Tue, 29 Sep 2020 13:13:01 -0700
Subject: [PATCH 1/2] Add account password policy to enforce password rules

(closes #112)
---
 .../shared/account_password_policy.tf         | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 templates/terraform/environments/shared/account_password_policy.tf

diff --git a/templates/terraform/environments/shared/account_password_policy.tf b/templates/terraform/environments/shared/account_password_policy.tf
new file mode 100644
index 0000000..ae124d3
--- /dev/null
+++ b/templates/terraform/environments/shared/account_password_policy.tf
@@ -0,0 +1,30 @@
+# This will enforce security policies for the entire account around what kinds of passwords IAM users can set.
+resource "aws_iam_account_password_policy" "account_password_policy" {
+  minimum_password_length        = 14
+  require_numbers                = true
+  require_symbols                = true
+  require_lowercase_characters   = true
+  require_uppercase_characters   = true
+  allow_users_to_change_password = true
+  password_reuse_prevention      = 24
+  hard_expiry                    = false
+  max_password_age               = 180
+}
+
+# # The above settings are quite secure, while also being more user friendly by allowing longer between password resets, and not hard-locking an account when the password expires.
+# # To fully comply with the AWS CIS Benchmark, you can instead use the policy below.
+# # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html
+# resource "aws_iam_account_password_policy" "aws_foundations_benchmark_policy" {
+#   minimum_password_length        = 14
+#   require_numbers                = true
+#   require_symbols                = true
+#   require_lowercase_characters   = true
+#   require_uppercase_characters   = true
+#   allow_users_to_change_password = true
+#   password_reuse_prevention      = 24
+#   hard_expiry                    = true
+#   max_password_age               = 90
+# }
+
+
+

From 07c9330545a317b6787870b1506cfc6b2647a4ef Mon Sep 17 00:00:00 2001
From: Bill Monkman <bmonkman@gmail.com>
Date: Tue, 29 Sep 2020 13:18:53 -0700
Subject: [PATCH 2/2] Add codeowners

---
 .github/CODEOWNERS | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/CODEOWNERS

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..12d3053
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+*       @commitdev/zero