github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_group_mfa.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_group_mfa.go (about)

     1  package iam
     2  
     3  import (
     4  	"strings"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  )
    16  
    17  var CheckEnforceGroupMFA = rules.Register(
    18  	scan.Rule{
    19  		AVDID: "AVD-AWS-0123",
    20  		Aliases: []string{
    21  			"aws-iam-enforce-mfa",
    22  		},
    23  		Provider:   providers.AWSProvider,
    24  		Service:    "iam",
    25  		ShortCode:  "enforce-group-mfa",
    26  		Summary:    "IAM groups should have MFA enforcement activated.",
    27  		Impact:     "IAM groups are more vulnerable to compromise without multi factor authentication activated",
    28  		Resolution: "Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced",
    29  		Explanation: `
    30  IAM groups should be protected with multi factor authentication to add safe guards to password compromise.
    31  			`,
    32  		Links: []string{
    33  			"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details",
    34  		},
    35  		Terraform: &scan.EngineMetadata{
    36  			GoodExamples:        terraformEnforceMfaGoodExamples,
    37  			BadExamples:         terraformEnforceMfaBadExamples,
    38  			Links:               terraformEnforceMfaLinks,
    39  			RemediationMarkdown: terraformEnforceMfaRemediationMarkdown,
    40  		},
    41  		Severity: severity.Medium,
    42  	},
    43  	func(s *state.State) (results scan.Results) {
    44  
    45  		for _, group := range s.AWS.IAM.Groups {
    46  			var mfaEnforced bool
    47  			for _, policy := range group.Policies {
    48  				document := policy.Document.Parsed
    49  				statements, _ := document.Statements()
    50  				for _, statement := range statements {
    51  					conditions, _ := statement.Conditions()
    52  					for _, condition := range conditions {
    53  						key, _ := condition.Key()
    54  						if strings.EqualFold(key, "aws:MultiFactorAuthPresent") {
    55  							mfaEnforced = true
    56  							break
    57  						}
    58  					}
    59  				}
    60  			}
    61  			if !mfaEnforced {
    62  				results.Add("Multi-Factor authentication is not enforced for group", &group)
    63  			}
    64  		}
    65  
    66  		return
    67  	},
    68  )