RAM Security Preference Not Enforce MFA Login
- Query id: dcda2d32-e482-43ee-a926-75eaabeaa4e0
- Query name: RAM Security Preference Not Enforce MFA Login
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
RAM Security preferences should enforce MFA login for RAM users
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user1" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_security_preference" "example1" {
enable_save_mfa_ticket = false
allow_user_to_change_password = true
}
Positive test num. 2 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user2" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_security_preference" "example2" {
enable_save_mfa_ticket = false
allow_user_to_change_password = true
enforce_mfa_for_login = false
}
Positive test num. 3 - tf file
# this file does not return any result because inside the test folder exists at least one resource "alicloud_ram_security_preference" in the samples
#resource "alicloud_ram_user" "user3" {
# name = "user_test"
# display_name = "user_display_name"
# mobile = "86-18688888888"
# email = "hello.uuu@aaa.com"
# comments = "yoyoyo"
# force = true
#}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user0" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_security_preference" "example0" {
enable_save_mfa_ticket = false
allow_user_to_change_password = true
enforce_mfa_for_login = true
}