github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md (about)

     1  
     2  Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced
     3  
     4  ```hcl
     5  resource "aws_iam_group" "support" {
     6    name =  "support"
     7  }
     8  resource aws_iam_group_policy mfa {
     9     
    10      group = aws_iam_group.support.name
    11      policy = <<EOF
    12  {
    13    "Version": "2012-10-17",
    14    "Statement": [
    15      {
    16        "Sid": "",
    17        "Effect": "Allow",
    18        "Action": "ec2:*",
    19        "Resource": "*",
    20        "Condition": {
    21            "Bool": {
    22                "aws:MultiFactorAuthPresent": ["true"]
    23            }
    24        }
    25      }
    26    ]
    27  }
    28  EOF
    29  }
    30  
    31  ```
    32  ```hcl
    33  resource "aws_iam_group" "support" {
    34    name =  "support"
    35  }
    36  resource aws_iam_policy mfa {
    37     
    38      name = "something"
    39      policy = <<EOF
    40  {
    41    "Version": "2012-10-17",
    42    "Statement": [
    43      {
    44        "Sid": "",
    45        "Effect": "Allow",
    46        "Action": "ec2:*",
    47        "Resource": "*",
    48        "Condition": {
    49            "Bool": {
    50                "aws:MultiFactorAuthPresent": ["true"]
    51            }
    52        }
    53      }
    54    ]
    55  }
    56  EOF
    57  }
    58  resource aws_iam_group_policy_attachment attach {
    59      group = aws_iam_group.support.name
    60      policy_arn = aws_iam_policy.mfa.id
    61  }
    62  
    63  ```
    64  ```hcl
    65  resource "aws_iam_group" "support" {
    66    name =  "support"
    67  }
    68  resource aws_iam_group_policy mfa {
    69    group = aws_iam_group.support.name
    70    policy = data.aws_iam_policy_document.combined.json
    71  }
    72  data "aws_iam_policy_document" "policy_override" {
    73    statement {
    74      sid    = "main"
    75      effect = "Allow"
    76      actions   = ["s3:*"]
    77      resources = ["*"]
    78      condition {
    79          test = "Bool"
    80          variable = "aws:MultiFactorAuthPresent"
    81          values = ["true"]
    82      }
    83    }
    84  }
    85  data "aws_iam_policy_document" "policy_source" {
    86    statement {
    87      sid    = "main"
    88      effect = "Allow"
    89      actions   = ["iam:*"]
    90      resources = ["*"]
    91    }
    92  }
    93  data "aws_iam_policy_document" "policy_misc" {
    94    statement {
    95      sid    = "misc"
    96      effect = "Deny"
    97      actions   = ["logs:*"]
    98      resources = ["*"]
    99    }
   100  }
   101  data "aws_iam_policy_document" "combined" {
   102    source_json = <<EOF
   103      {
   104          "Id": "base"
   105      }
   106  EOF
   107    source_policy_documents = [
   108      data.aws_iam_policy_document.policy_source.json
   109    ]
   110    override_policy_documents = [
   111      data.aws_iam_policy_document.policy_override.json,
   112      data.aws_iam_policy_document.policy_misc.json
   113    ]
   114    statement {
   115      sid    = "whatever"
   116      effect = "Deny"
   117      actions   = ["*"]
   118      resources = ["*"]
   119    }
   120  }
   121  
   122  ```
   123  
   124  #### Remediation Links
   125   - https://registry.terraform.io/modules/terraform-module/enforce-mfa/aws/latest
   126  
   127   - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details
   128