Detections
Analytics

Ensure no user can assume the role without MFA is specified in the condition parameter of AWS IAM User Policy

LOW

Description

Roles assumed without mfa poses a security threat and impacts the authentication security principle, and is against the defense in depth principle..

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the IAM Console.
  2. Under Access Management, select Users.
  3. Choose the user you wish to edit.
  4. Select the Security credentials tab.
  5. Under Multi-factor authentication (MFA), select Assign MFA device.
  6. Follow the prompts to configure the MFA device, then Save.

In Terraform -

  1. In the aws_iam_user_policy resource, update the policy field to have a condition for aws:MultiFactorAuthPresent that is set to True.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy

Policy Details

Rule Reference ID: AC_AWS_0149
CSP: AWS
Remediation Available: No
Domain: Compliance Validation
Resource: aws_iam_user_policy
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks