github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_root_hardware_mfa.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_root_hardware_mfa.go (about)

     1  package iam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var checkRootHardwareMFAEnabled = rules.Register(
    13  	scan.Rule{
    14  		AVDID:     "AVD-AWS-0165",
    15  		Provider:  providers.AWSProvider,
    16  		Service:   "iam",
    17  		ShortCode: "enforce-root-hardware-mfa",
    18  		Frameworks: map[framework.Framework][]string{
    19  			framework.CIS_AWS_1_4: {"1.6"},
    20  		},
    21  		Summary:    "The \"root\" account has unrestricted access to all resources in the AWS account. It is highly\nrecommended that this account have hardware MFA enabled.",
    22  		Impact:     "Compromise of the root account compromises the entire AWS account and all resources within it.",
    23  		Resolution: "Enable hardware MFA on the root user account.",
    24  		Explanation: `
    25  Hardware MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
    26  			`,
    27  		Links: []string{
    28  			"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html",
    29  		},
    30  		Severity: severity.Medium,
    31  	},
    32  	func(s *state.State) (results scan.Results) {
    33  		for _, user := range s.AWS.IAM.Users {
    34  			if user.Name.EqualTo("root") {
    35  				if len(user.MFADevices) == 0 {
    36  					results.Add("Root user does not have a hardware MFA device", &user)
    37  				} else {
    38  					var hasHardware bool
    39  					for _, device := range user.MFADevices {
    40  						if device.IsVirtual.IsFalse() {
    41  							hasHardware = true
    42  							break
    43  						}
    44  					}
    45  					if !hasHardware {
    46  						results.Add("Root user does not have a hardware MFA device", &user)
    47  					} else {
    48  						results.AddPassed(&user)
    49  					}
    50  				}
    51  			}
    52  		}
    53  		return
    54  	},
    55  )