diff --git a/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py b/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py index 82f4b12059a..8497da78b98 100644 --- a/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py +++ b/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py @@ -15,9 +15,9 @@ def execute(self) -> Check_Report_AWS: report.resource_arn = iam_client.mfa_arn_template if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0: - virtual_mfas = iam_client.virtual_mfa_devices - for mfa in virtual_mfas: - if "root" in mfa["SerialNumber"]: + for mfa in iam_client.virtual_mfa_devices: + # If the ARN of the associated IAM user of the Virtual MFA device is "arn:aws:iam::[aws-account-id]:root", your AWS root account is not using a hardware-based MFA device for MFA protection. + if "root" in mfa.get("User", {}).get("Arn", ""): virtual_mfa = True report.status = "FAIL" report.status_extended = "Root account has a virtual MFA instead of a hardware MFA device enabled." diff --git a/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py b/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py index 0fc5f0323a5..372e08fc3d9 100644 --- a/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py +++ b/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py @@ -1,9 +1,6 @@ from re import search from unittest import mock -from boto3 import client -from moto import mock_aws - from tests.providers.aws.audit_info_utils import ( AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, @@ -19,13 +16,20 @@ class Test_iam_root_hardware_mfa_enabled_test: set_mocked_aws_audit_info, ) - @mock_aws - def test_root_hardware_virtual_mfa_enabled(self): - iam = client("iam") - mfa_device_name = "mfa-test" - iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name) - - from prowler.providers.aws.services.iam.iam_service import IAM + def test_root_virtual_mfa_enabled(self): + iam_client = mock.MagicMock + iam_client.account_summary = { + "SummaryMap": {"AccountMFAEnabled": 1}, + } + iam_client.virtual_mfa_devices = [ + { + "SerialNumber": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa/mfa", + "User": {"Arn": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"}, + } + ] + iam_client.audited_partition = "aws" + iam_client.region = AWS_REGION_US_EAST_1 + iam_client.mfa_arn_template = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa" current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) @@ -34,15 +38,12 @@ def test_root_hardware_virtual_mfa_enabled(self): new=current_audit_info, ), mock.patch( "prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client", - new=IAM(current_audit_info), - ) as service_client: + new=iam_client, + ): from prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled import ( iam_root_hardware_mfa_enabled, ) - service_client.account_summary["SummaryMap"]["AccountMFAEnabled"] = 1 - service_client.virtual_mfa_devices[0]["SerialNumber"] = "sddfaf-root-sfsfds" - check = iam_root_hardware_mfa_enabled() result = check.execute() assert result[0].status == "FAIL" @@ -52,13 +53,15 @@ def test_root_hardware_virtual_mfa_enabled(self): ) assert result[0].resource_id == "" - @mock_aws - def test_root_hardware_virtual_hardware_mfa_enabled(self): - iam = client("iam") - mfa_device_name = "mfa-test" - iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name) - - from prowler.providers.aws.services.iam.iam_service import IAM + def test_root_hardware_mfa_enabled(self): + iam_client = mock.MagicMock + iam_client.account_summary = { + "SummaryMap": {"AccountMFAEnabled": 1}, + } + iam_client.virtual_mfa_devices = [] + iam_client.audited_partition = "aws" + iam_client.region = AWS_REGION_US_EAST_1 + iam_client.mfa_arn_template = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa" current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) @@ -67,15 +70,12 @@ def test_root_hardware_virtual_hardware_mfa_enabled(self): new=current_audit_info, ), mock.patch( "prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client", - new=IAM(current_audit_info), - ) as service_client: + new=iam_client, + ): from prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled import ( iam_root_hardware_mfa_enabled, ) - service_client.account_summary["SummaryMap"]["AccountMFAEnabled"] = 1 - service_client.virtual_mfa_devices[0]["SerialNumber"] = "" - check = iam_root_hardware_mfa_enabled() result = check.execute() assert result[0].status == "PASS" @@ -84,7 +84,3 @@ def test_root_hardware_virtual_hardware_mfa_enabled(self): result[0].status_extended, ) assert result[0].resource_id == "" - assert ( - result[0].resource_arn - == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:mfa" - )