RAM Security Preference Not Enforce MFA Login

  • Query id: dcda2d32-e482-43ee-a926-75eaabeaa4e0
  • Query name: RAM Security Preference Not Enforce MFA Login
  • Platform: Terraform
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

RAM Security preferences should enforce MFA login for RAM users
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user1" {
  name         = "user_test"
  display_name = "user_display_name"
  mobile       = "86-18688888888"
  email        = "hello.uuu@aaa.com"
  comments     = "yoyoyo"
  force        = true
}

resource "alicloud_ram_security_preference" "example1" {
  enable_save_mfa_ticket        = false
  allow_user_to_change_password = true
}
Positive test num. 2 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user2" {
  name         = "user_test"
  display_name = "user_display_name"
  mobile       = "86-18688888888"
  email        = "hello.uuu@aaa.com"
  comments     = "yoyoyo"
  force        = true
}

resource "alicloud_ram_security_preference" "example2" {
  enable_save_mfa_ticket        = false
  allow_user_to_change_password = true
  enforce_mfa_for_login = false
}
Positive test num. 3 - tf file
# this file does not return any result because inside the test folder exists at least one resource "alicloud_ram_security_preference" in the samples
#resource "alicloud_ram_user" "user3" {
#  name         = "user_test"
#  display_name = "user_display_name"
#  mobile       = "86-18688888888"
#  email        = "hello.uuu@aaa.com"
#  comments     = "yoyoyo"
#  force        = true
#}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user0" {
  name         = "user_test"
  display_name = "user_display_name"
  mobile       = "86-18688888888"
  email        = "hello.uuu@aaa.com"
  comments     = "yoyoyo"
  force        = true
}

resource "alicloud_ram_security_preference" "example0" {
  enable_save_mfa_ticket        = false
  allow_user_to_change_password = true
  enforce_mfa_for_login = true
}