RAM Security Preference Not Enforce MFA Login
- Query id: dcda2d32-e482-43ee-a926-75eaabeaa4e0
- Query name: RAM Security Preference Not Enforce MFA Login
- Platform: Terraform
- Severity: Low
- Category: Access Control
- CWE: 287
- URL: Github
Description¶
RAM Security preferences should enforce MFA login for RAM users
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user1" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_security_preference" "example1" {
enable_save_mfa_ticket = false
allow_user_to_change_password = true
}
Positive test num. 2 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user2" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_security_preference" "example2" {
enable_save_mfa_ticket = false
allow_user_to_change_password = true
enforce_mfa_for_login = false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
# Create a new RAM user.
resource "alicloud_ram_user" "user0" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_security_preference" "example0" {
enable_save_mfa_ticket = false
allow_user_to_change_password = true
enforce_mfa_for_login = true
}