Authentication Without MFA

  • Query id: eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
  • Query name: Authentication Without MFA
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: Assume an existing role
  community.aws.sts_assume_role:
    mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}"
    role_arn: "arn:aws:iam::123456789012:role/someRole"
    role_session_name: "someRoleSession"
  register: assumed_role

- name: Hello
  sts_assume_role:
    role_arn: "arn:aws:iam::123456789012:role/someRole"
    role_session_name: "someRoleSession"
  register: assumed_role

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Assume an existing role
  community.aws.sts_assume_role:
    mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
    mfa_token: weewew
    role_arn: arn:aws:iam::123456789012:role/someRole
    role_session_name: someRoleSession
  register: assumed_role

- name: Hello
  sts_assume_role:
    mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
    mfa_token: weewew
    role_arn: arn:aws:iam::123456789012:role/someRole
    role_session_name: someRoleSession
  register: assumed_role