Authentication Without MFA

• Query id: eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
• Query name: Authentication Without MFA
• Platform: Ansible
• Severity: Low
• Category: Access Control
• CWE: 287
• URL: Github

Description

Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: Assume an existing role
  community.aws.sts_assume_role:
    mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}"
    role_arn: "arn:aws:iam::123456789012:role/someRole"
    role_session_name: "someRoleSession"
  register: assumed_role

- name: Hello
  sts_assume_role:
    role_arn: "arn:aws:iam::123456789012:role/someRole"
    role_session_name: "someRoleSession"
  register: assumed_role

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Assume an existing role
  community.aws.sts_assume_role:
    mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
    mfa_token: weewew
    role_arn: arn:aws:iam::123456789012:role/someRole
    role_session_name: someRoleSession
  register: assumed_role

- name: Hello
  sts_assume_role:
    mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
    mfa_token: weewew
    role_arn: arn:aws:iam::123456789012:role/someRole
    role_session_name: someRoleSession
  register: assumed_role