Rule ID AC_AWS_0472 broken

[lisenet]

• terrascan version: 1.18.3
• Operating System: Ubuntu 20.04 LTS

Description

Having password_reuse_prevention=24 triggers Terrascan to report a compliance violation, when it is not.

What I Did

The following block of code creates a violation:

resource "aws_iam_account_password_policy" "example" {
  minimum_password_length        = 15
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
  password_reuse_prevention      = 24
  max_password_age               = 90
}

Terrascan result:

	Description    :	It is recommended that the password policy prevent the reuse of passwords.Preventing password reuse increases account resiliency against brute force login attempts
	File           :	iam-account-password-policy.tf
	Module Name    :	root
	Plan Root      :	./
	Line           :	2
	Severity       :	LOW
	Rule Name      :	passwordReuseNotAllowed
	Rule ID        :	AC_AWS_0472
	Resource Name  :	example
	Resource Type  :	aws_iam_account_password_policy
	Category       :	Compliance Validation

However, if we disable password_reuse_prevention (effectively allowing users to reuse their passwords):

resource "aws_iam_account_password_policy" "example" {
  minimum_password_length        = 15
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
  max_password_age               = 90
}

Then Terrascan is happy about it, which is not the expected behaviour.