IAM User Policy Without MFA
- Query id: b5681959-6c09-4f55-b42b-c40fa12d03ec
- Query name: IAM User Policy Without MFA
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
Check if the root user is authenticated with MFA
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_user" "positive1" {
name = "root"
path = "/system/"
tags = {
tag-key = "tag-value"
}
}
resource "aws_iam_access_key" "positive2" {
user = aws_iam_user.lb.name
}
resource "aws_iam_user_policy" "positive3" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_user" "negative1" {
name = "root"
path = "/system/"
tags = {
tag-key = "tag-value"
}
}
resource "aws_iam_access_key" "negative2" {
user = aws_iam_user.lb.name
}
resource "aws_iam_user_policy" "negative3" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent" : "true"
}
}
}
]
}
EOF
}
resource "aws_iam_user_policy" "negative4" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::mfa/111122223333:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}