search

Noovolari / leapp

Leapp is the DevTool to access your cloud
https://www.leapp.cloud/
Mozilla Public License 2.0
1.62k stars 146 forks source link

MFA attribute is not set when logging into AWS via chained role #262

Closed hown3d closed 2 years ago

hown3d commented 2 years ago

Describe the bug We are using IAM Roles for access to our production environment which can be assumed by certain users. My user is able to assume the role and has MFA configured. I configured leapp with a chained role with my iam user as the source. I have to provide an MFA code to start a session for the chained role but when I open the web UI an alarm of us is triggered (whenever someone logs into the account without MFA). The alarm is intended to follow the CIS Guidelines for AWS, especially CIS.3.2

I inspected the event and saw that the event data shows: userIdentify.attributes.mfaAuthenticated: false.

Leapp Version Version 0.11.0 (0.11.0)

To Reproduce Steps to reproduce the behavior:

  1. Have a IAM user with MFA configured and a role to assume
  2. Start session for the chained role and provide MFA Token
  3. Open Web UI for this role
  4. Event with userIdentify.attributes.mfaAuthenticated: false will show up in cloudtrail

Expected behavior Event should have userIdentify.attributes.mfaAuthenticated set to true

Screenshots JSON message of the event that triggers the event

{
   "eventVersion":"1.08",
   "userIdentity":{
      "type":"AssumedRole",
      "principalId":"XXXXXXXXXXXXXXXXX:assumed-from-leapp",
      "arn":"arn:aws:sts::XXXXXXXXXX:assumed-role/MyRole/assumed-from-leapp",
      "accountId":"XXXXXXXXXX",
      "sessionContext":{
         "sessionIssuer":{
            "type":"Role",
            "principalId":"XXXXXXXXXXXXXXXXXX",
            "arn":"arn:aws:iam::XXXXXXXXXXXXX:role/MyRole",
            "accountId":"XXXXXXXXXXXXXX",
            "userName":"MyRole"
         },
         "webIdFederationData":{

         },
         "attributes":{
            "creationDate":"2022-04-20T12:00:28Z",
            "mfaAuthenticated":"false"
         }
      }
   },
   "eventTime":"2022-04-20T12:00:29Z",
   "eventSource":"signin.amazonaws.com",
   "eventName":"ConsoleLogin",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"XXXXXXXXXXXXXXXX",
   "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
   "requestParameters":null,
   "responseElements":{
      "ConsoleLogin":"Success"
   },
   "additionalEventData":{
      "MobileVersion":"No",
      "MFAUsed":"No"
   },
   "eventID":"fadedd0d-5270-4558-940f-589448566faf",
   "readOnly":false,
   "eventType":"AwsConsoleSignIn",
   "managementEvent":true,
   "recipientAccountId":"XXXXXXXXXXXXXXXXX",
   "eventCategory":"Management",
   "tlsDetails":{
      "tlsVersion":"TLSv1.2",
      "cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256",
      "clientProvidedHostHeader":"signin.aws.amazon.com"
   }
}

Desktop (please complete the following information):

hown3d commented 2 years ago

I looked up the issue myself and found out that MFA is not supported when using the federation endpoint. Regarding this information, this issue will be closed, since it's not a problem of leapp.