Closed pjhavariotis closed 1 month ago
@pjhavariotis, thanks for raising the issue, and apologies that you are facing it. Before reaching any conclusions, could you please share the serial number
of the virtual_mfa_device
you are using?
Thanks!!
@khushboo9024 This is the serial number I'm using! arn:aws:iam::944978845451:mfa/<email_address>
@pjhavariotis, thanks for the quick reply. Can you please run below query and check if it resolves your issue .
select
'arn:' || s.partition || ':::' || s.account_id as resource,
case
when s.account_mfa_enabled and d.serial_number is null then 'ok'
else 'alarm'
end status,
case
when s.account_mfa_enabled = false then 'MFA not enabled for root account.'
when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'
else 'Hardware MFA device enabled for root account.'
end reason
from
aws_iam_account_summary as s
left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';
This is the query's output. It seems that it resolves the issue!
+------------------------+--------+---------------------------------------------------------------------------+
| resource | status | reason |
+------------------------+--------+---------------------------------------------------------------------------+
| arn:aws:::944978845451 | alarm | MFA enabled for root account, but the MFA associated is a virtual device. |
+------------------------+--------+---------------------------------------------------------------------------+
Describe the bug I have just realized that the Control: IAM root user hardware MFA should be enabled is not working as expected! Specifically, I have enabled a "virtual MFA device" for my AWS account root user. As far as I know, If the ARN of the associated IAM user returned by the
aws iam list-virtual-mfa-devices
command output isarn:aws:iam::[aws-account-id]:root
, then my AWS root account is not using a hardware-based MFA device for MFA protection. On the contrary, when I run the control mentioned above (powerpipe control run aws_compliance.control.iam_root_user_hardware_mfa_enabled
), I'm getting an OK message!Powerpipe version (
powerpipe -v
) Powerpipe v0.4.1Steampipe version (
steampipe -v
) Steampipe v0.23.3Plugin version (
steampipe plugin list
)To reproduce Steps to reproduce the behavior (please include relevant code and/or commands).
Expected behavior A clear and concise description of what you expected to happen.
Additional context Add any other context about the problem here.