Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Iam >

Enforce Group Mfa

MEDIUM
Source
Trivy/CSPM
CSPM ID
users-mfa-enabled
ID
AVD-AWS-0123
management_console terraform

IAM groups should have MFA enforcement activated.

IAM groups should be protected with multi factor authentication to add safe guards to password compromise.

Impact

IAM groups are more vulnerable to compromise without multi factor authentication activated

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for IAM. Step

  3. Scroll down the left navigation panel and choose “Users”. Step

  4. Select the “User” that needs to be verified and click on the “User name” to access the selected “IAM User”.Step

  5. Click on the “Security Credentials” under the configuration page.Step

  6. Scroll down the “Security Credentials” tab and check the “Assigned MFA device”. Check the “Multi-factor authentication (MFA)” section for any active devices. If “Not assigned” is showing against “Assigned MFA device” then a multi-factor authentication device is not enabled for the selected user account.Step

  7. Repeat step number 2 - 6 to check other IAM users.

  8. On “Security Credentials” page scroll down and click on the “Multi-factor authentication (MFA)” and click on the “Manage” link to enable a multi-factor authentication device.Step

  9. Click on the “Virtual MFA device” and click on “Continue”. Step

  10. Now install the AWS MFA compatible application on mobile device or computer. Once the application is installed click on the “Show QR code” and scan the code with pre-installed application.Step

  11. Enter two consecutive MFA codes generated from application in “MFA code 1” and “MFA code 2” and click on the “Assign MFA” button.Step

  12. On successful setup will get the following message “You have successfully assigned virtual MFA”. Step

  13. Repeat steps number 8 - 12 to enable multi-factor authentication device for all other IAM users.

Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

resource "aws_iam_group" "support" {
  name =  "support"
}
resource "aws_iam_group_policy" "mfa" {
   
    group = aws_iam_group.support.name
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
          "Bool": {
              "aws:MultiFactorAuthPresent": ["true"]
          }
      }
    }
  ]
}
EOF
}


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

resource "aws_iam_group" "support" {
  name =  "support"
}
resource "aws_iam_policy" "mfa" {
   
    name = "something"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
          "Bool": {
              "aws:MultiFactorAuthPresent": ["true"]
          }
      }
    }
  ]
}
EOF
}
resource "aws_iam_group_policy_attachment" "attach" {
    group = aws_iam_group.support.name
    policy_arn = aws_iam_policy.mfa.id
}


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

resource "aws_iam_group" "support" {
  name =  "support"
}
resource "aws_iam_group_policy" "mfa" {
  group = aws_iam_group.support.name
  policy = data.aws_iam_policy_document.combined.json
}
data "aws_iam_policy_document" "policy_override" {
  statement {
    sid    = "main"
    effect = "Allow"
    actions   = ["s3:*"]
    resources = ["*"]
    condition {
        test = "Bool"
        variable = "aws:MultiFactorAuthPresent"
        values = ["true"]
    }
  }
}
data "aws_iam_policy_document" "policy_source" {
  statement {
    sid    = "main"
    effect = "Allow"
    actions   = ["iam:*"]
    resources = ["*"]
  }
}
data "aws_iam_policy_document" "policy_misc" {
  statement {
    sid    = "misc"
    effect = "Deny"
    actions   = ["logs:*"]
    resources = ["*"]
  }
}
data "aws_iam_policy_document" "combined" {
  source_json = <<EOF
    {
        "Id": "base"
    }
EOF
  source_policy_documents = [
    data.aws_iam_policy_document.policy_source.json
  ]
  override_policy_documents = [
    data.aws_iam_policy_document.policy_override.json,
    data.aws_iam_policy_document.policy_misc.json
  ]
  statement {
    sid    = "whatever"
    effect = "Deny"
    actions   = ["*"]
    resources = ["*"]
  }
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use