Control: IAM root user hardware MFA should be enabled returns OK for virtual MFA device!

[pjhavariotis]

Describe the bug I have just realized that the Control: IAM root user hardware MFA should be enabled is not working as expected! Specifically, I have enabled a "virtual MFA device" for my AWS account root user. As far as I know, If the ARN of the associated IAM user returned by the aws iam list-virtual-mfa-devices command output is arn:aws:iam::[aws-account-id]:root, then my AWS root account is not using a hardware-based MFA device for MFA protection. On the contrary, when I run the control mentioned above (powerpipe control run aws_compliance.control.iam_root_user_hardware_mfa_enabled ), I'm getting an OK message!

Powerpipe version (powerpipe -v) Powerpipe v0.4.1

Steampipe version (steampipe -v) Steampipe v0.23.3

Plugin version (steampipe plugin list)

+--------------------------------------------------+---------+-------------+
| Installed                                        | Version | Connections |
+--------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/aws@latest       | 0.145.0 | aws         |
| hub.steampipe.io/plugins/turbot/azure@latest     | 0.64.0  | azure       |
| hub.steampipe.io/plugins/turbot/azuread@latest   | 0.16.0  | azuread     |
| hub.steampipe.io/plugins/turbot/ipstack@latest   | 0.10.0  | ipstack     |
| hub.steampipe.io/plugins/turbot/net@latest       | 0.12.0  | net         |
| hub.steampipe.io/plugins/turbot/shodan@latest    | 0.7.0   | shodan      |
| hub.steampipe.io/plugins/turbot/steampipe@latest | 0.10.0  | steampipe   |
+--------------------------------------------------+---------+-------------+

To reproduce Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior A clear and concise description of what you expected to happen.

Additional context Add any other context about the problem here.

[khushboo9024]

@pjhavariotis, thanks for raising the issue, and apologies that you are facing it. Before reaching any conclusions, could you please share the serial number of the virtual_mfa_device you are using?

Thanks!!

[pjhavariotis]

@khushboo9024 This is the serial number I'm using! arn:aws:iam::944978845451:mfa/<email_address>

[khushboo9024]

@pjhavariotis, thanks for the quick reply. Can you please run below query and check if it resolves your issue .

  select
    'arn:' || s.partition || ':::' || s.account_id as resource,
    case
      when s.account_mfa_enabled and d.serial_number is null then 'ok'
      else 'alarm'
    end status,
    case
      when s.account_mfa_enabled = false then  'MFA not enabled for root account.'
      when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'
      else 'Hardware MFA device enabled for root account.'
    end reason
  from
    aws_iam_account_summary as s
    left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';

[pjhavariotis]

This is the query's output. It seems that it resolves the issue!

+------------------------+--------+---------------------------------------------------------------------------+
| resource               | status | reason                                                                    |
+------------------------+--------+---------------------------------------------------------------------------+
| arn:aws:::944978845451 | alarm  | MFA enabled for root account, but the MFA associated is a virtual device. |
+------------------------+--------+---------------------------------------------------------------------------+