Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): update logic of Root Hardware MFA check #4774

Merged
merged 3 commits into from
Aug 16, 2024
Merged

fix(iam): update logic of Root Hardware MFA check #4774

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6b38b8c
fix(iam): update logic of Root Hardware MFA check (#4726)
MrCloudSec Aug 16, 2024
740a06a
fix flake8
MrCloudSec Aug 16, 2024
b0c1a70
fix tests
MrCloudSec Aug 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ...providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ def execute(self) -> Check_Report_AWS:
report.resource_arn = iam_client.mfa_arn_template

if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0:
virtual_mfas = iam_client.virtual_mfa_devices
for mfa in virtual_mfas:
if "root" in mfa["SerialNumber"]:
for mfa in iam_client.virtual_mfa_devices:
# If the ARN of the associated IAM user of the Virtual MFA device is "arn:aws:iam::[aws-account-id]:root", your AWS root account is not using a hardware-based MFA device for MFA protection.
if "root" in mfa.get("User", {}).get("Arn", ""):
virtual_mfa = True
report.status = "FAIL"
report.status_extended = "Root account has a virtual MFA instead of a hardware MFA device enabled."
Expand Down
58 changes: 27 additions & 31 deletions ...ders/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
from re import search
from unittest import mock

from boto3 import client
from moto import mock_aws

from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
Expand All @@ -19,13 +16,20 @@ class Test_iam_root_hardware_mfa_enabled_test:
set_mocked_aws_audit_info,
)

@mock_aws
def test_root_hardware_virtual_mfa_enabled(self):
iam = client("iam")
mfa_device_name = "mfa-test"
iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name)

from prowler.providers.aws.services.iam.iam_service import IAM
def test_root_virtual_mfa_enabled(self):
iam_client = mock.MagicMock
iam_client.account_summary = {
"SummaryMap": {"AccountMFAEnabled": 1},
}
iam_client.virtual_mfa_devices = [
{
"SerialNumber": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa/mfa",
"User": {"Arn": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"},
}
]
iam_client.audited_partition = "aws"
iam_client.region = AWS_REGION_US_EAST_1
iam_client.mfa_arn_template = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa"

current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])

Expand All @@ -34,15 +38,12 @@ def test_root_hardware_virtual_mfa_enabled(self):
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:
new=iam_client,
):
from prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled import (
iam_root_hardware_mfa_enabled,
)

service_client.account_summary["SummaryMap"]["AccountMFAEnabled"] = 1
service_client.virtual_mfa_devices[0]["SerialNumber"] = "sddfaf-root-sfsfds"

check = iam_root_hardware_mfa_enabled()
result = check.execute()
assert result[0].status == "FAIL"
Expand All @@ -52,13 +53,15 @@ def test_root_hardware_virtual_mfa_enabled(self):
)
assert result[0].resource_id == "<root_account>"

@mock_aws
def test_root_hardware_virtual_hardware_mfa_enabled(self):
iam = client("iam")
mfa_device_name = "mfa-test"
iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name)

from prowler.providers.aws.services.iam.iam_service import IAM
def test_root_hardware_mfa_enabled(self):
iam_client = mock.MagicMock
iam_client.account_summary = {
"SummaryMap": {"AccountMFAEnabled": 1},
}
iam_client.virtual_mfa_devices = []
iam_client.audited_partition = "aws"
iam_client.region = AWS_REGION_US_EAST_1
iam_client.mfa_arn_template = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa"

current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])

Expand All @@ -67,15 +70,12 @@ def test_root_hardware_virtual_hardware_mfa_enabled(self):
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:
new=iam_client,
):
from prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled import (
iam_root_hardware_mfa_enabled,
)

service_client.account_summary["SummaryMap"]["AccountMFAEnabled"] = 1
service_client.virtual_mfa_devices[0]["SerialNumber"] = ""

check = iam_root_hardware_mfa_enabled()
result = check.execute()
assert result[0].status == "PASS"
Expand All @@ -84,7 +84,3 @@ def test_root_hardware_virtual_hardware_mfa_enabled(self):
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:mfa"
)