Authentication Without MFA
- Query id: eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
- Query name: Authentication Without MFA
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
- name: Assume an existing role
community.aws.sts_assume_role:
mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}"
role_arn: "arn:aws:iam::123456789012:role/someRole"
role_session_name: "someRoleSession"
register: assumed_role
- name: Hello
sts_assume_role:
role_arn: "arn:aws:iam::123456789012:role/someRole"
role_session_name: "someRoleSession"
register: assumed_role
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Assume an existing role
community.aws.sts_assume_role:
mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
mfa_token: weewew
role_arn: arn:aws:iam::123456789012:role/someRole
role_session_name: someRoleSession
register: assumed_role
- name: Hello
sts_assume_role:
mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
mfa_token: weewew
role_arn: arn:aws:iam::123456789012:role/someRole
role_session_name: someRoleSession
register: assumed_role