github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_group_mfa.tf.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_group_mfa.tf.go (about)

     1  package iam
     2  
     3  var terraformEnforceMfaGoodExamples = []string{
     4  	`
     5  resource "aws_iam_group" "support" {
     6    name =  "support"
     7  }
     8  resource aws_iam_group_policy mfa {
     9     
    10      group = aws_iam_group.support.name
    11      policy = <<EOF
    12  {
    13    "Version": "2012-10-17",
    14    "Statement": [
    15      {
    16        "Sid": "",
    17        "Effect": "Allow",
    18        "Action": "ec2:*",
    19        "Resource": "*",
    20        "Condition": {
    21            "Bool": {
    22                "aws:MultiFactorAuthPresent": ["true"]
    23            }
    24        }
    25      }
    26    ]
    27  }
    28  EOF
    29  }
    30  `,
    31  	`
    32  resource "aws_iam_group" "support" {
    33    name =  "support"
    34  }
    35  resource aws_iam_policy mfa {
    36     
    37      name = "something"
    38      policy = <<EOF
    39  {
    40    "Version": "2012-10-17",
    41    "Statement": [
    42      {
    43        "Sid": "",
    44        "Effect": "Allow",
    45        "Action": "ec2:*",
    46        "Resource": "*",
    47        "Condition": {
    48            "Bool": {
    49                "aws:MultiFactorAuthPresent": ["true"]
    50            }
    51        }
    52      }
    53    ]
    54  }
    55  EOF
    56  }
    57  resource aws_iam_group_policy_attachment attach {
    58      group = aws_iam_group.support.name
    59      policy_arn = aws_iam_policy.mfa.id
    60  }
    61  `,
    62  
    63  	`
    64  resource "aws_iam_group" "support" {
    65    name =  "support"
    66  }
    67  resource aws_iam_group_policy mfa {
    68    group = aws_iam_group.support.name
    69    policy = data.aws_iam_policy_document.combined.json
    70  }
    71  data "aws_iam_policy_document" "policy_override" {
    72    statement {
    73      sid    = "main"
    74      effect = "Allow"
    75      actions   = ["s3:*"]
    76      resources = ["*"]
    77      condition {
    78          test = "Bool"
    79          variable = "aws:MultiFactorAuthPresent"
    80          values = ["true"]
    81      }
    82    }
    83  }
    84  data "aws_iam_policy_document" "policy_source" {
    85    statement {
    86      sid    = "main"
    87      effect = "Allow"
    88      actions   = ["iam:*"]
    89      resources = ["*"]
    90    }
    91  }
    92  data "aws_iam_policy_document" "policy_misc" {
    93    statement {
    94      sid    = "misc"
    95      effect = "Deny"
    96      actions   = ["logs:*"]
    97      resources = ["*"]
    98    }
    99  }
   100  data "aws_iam_policy_document" "combined" {
   101    source_json = <<EOF
   102      {
   103          "Id": "base"
   104      }
   105  EOF
   106    source_policy_documents = [
   107      data.aws_iam_policy_document.policy_source.json
   108    ]
   109    override_policy_documents = [
   110      data.aws_iam_policy_document.policy_override.json,
   111      data.aws_iam_policy_document.policy_misc.json
   112    ]
   113    statement {
   114      sid    = "whatever"
   115      effect = "Deny"
   116      actions   = ["*"]
   117      resources = ["*"]
   118    }
   119  }
   120  `,
   121  }
   122  
   123  var terraformEnforceMfaBadExamples = []string{
   124  	`
   125  data aws_caller_identity current {}
   126  resource aws_iam_group developers {
   127    name =  "developers"
   128  }
   129  `,
   130  }
   131  
   132  var terraformEnforceMfaLinks = []string{
   133  	`https://registry.terraform.io/modules/terraform-module/enforce-mfa/aws/latest`, `https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details`,
   134  }
   135  
   136  var terraformEnforceMfaRemediationMarkdown = ``