Comments (8)
toniblyx
commented on May 14, 2024
Thanks @virtualjj, as you say there I didn't find a query to figure out if hardware MFA is used so I queried for just MFA which is also good and pretty valid check. I'm fixing it now as you suggest and also adding a comment to clarify that, in case of OK, it is Virtual MFA.
from prowler.
toniblyx
commented on May 14, 2024
as you say, running:
aws iam get-account-summary | grep MFA
I get:
"MFADevicesInUse": 1,
"MFADevices": 1,
"AccountMFAEnabled": 1,
In my case is also use virtual MFA, so no way to see if it is hw or not.
from prowler.
virtualjj
commented on May 14, 2024
Cool - I raised a support request with AWS to see if there is a workaround for this and will update as soon as I get an answer.
Thanks again for this very helpful project!
from prowler.
toniblyx
commented on May 14, 2024
Thanks @virtualjj I will also go ahead and change the check command with this one which seems to be more accurate despite we don't know if it is HW or SW: aws iam get-account-summary |grep AccountMFAEnabled | awk -F":\ " '{ print $2 }'|sed 's/,//'
from prowler.
toniblyx
commented on May 14, 2024
@virtualjj just commited the change, I have tested it in two accounts and it works. You can test it now. Glad you find it helpful.
from prowler.
virtualjj
commented on May 14, 2024
Tested and confirmed:
I think this is a reasonable message since the hardware MFAs listed as supported by AWS have synchronization issues which isn't worth the trouble in my opinion.
I did receive a reply from AWS support that root MFA API / CLI calls are limited for security reasons citing this resource:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html
The workaround proposed by AWS support requires having paid support for Trusted Advisor and these commands that I wasn't able to test since my dev AWS account doesn't have paid support:
sudo yum install jq
check_id=$(aws support describe-trusted-advisor-checks --language en --region us-east-1 | jq -r '.checks[] | select(.name == "MFA on Root Account") | .id')
aws support describe-trusted-advisor-check-result --check-id "$check_id" --region us-east-1 | jq -r '.result.status'
from prowler.
toniblyx
commented on May 14, 2024
I have checked those commands with one of our paid support accounts and I don't think it adds more value or information to what I currently have with the existing check. Another reason to write prowler was to not to depend on your support status to get good advises about security. Thanks for your time looking at it @virtualjj
from prowler.
virtualjj
commented on May 14, 2024
Awesome and agreed - thanks again!
from prowler.
Related Issues (20)
- [Bug]: empty json-ocsf output in Azure scan HOT 4
- [Bug]: GCP - Compute service with no findings HOT 11
- [Bug]: VPC Scan for empty account fails to find resilient VPCs HOT 2
- [Bug]: apigateway_restapi_authorizers_enabled.py does not consider authorizers configured at the method level HOT 4
- [Suggestion] Improve Lambda code pulling and secret checking performance HOT 2
- Implement more secrets checks HOT 3
- Suggestions: Check for enabled regions HOT 2
- Allow secrets to be output when explicitly asked for using a flag HOT 3
- [Bug]: prowler azure is not scanning virtual machines in azure HOT 2
- [Bug]: iam_user_console_access_unused.py checks for last password usage HOT 3
- [Bug]: Prowler killed by OOM killer when run in AWS CloudShell HOT 6
- [Feature Request] - Round Robin the base urls in the event of unavailability for indexers HOT 1
- [Bug]: Cross account sqs flagged as public/critical HOT 3
- [Bug]: Exception merging from "*" and specific account HOT 3
- [Bug]: False positive on check - "Check if SQS queues have policy set as Public" HOT 2
- Improve publicly accessible checks to include targets of ELBs HOT 7
- [Bug]: Website Down? HOT 1
- [Bug]: False positve on ec2_securitygroup_not_used with Batch Compute HOT 6
- Support py3.12 HOT 1
- [Bug]: cloudwatch_log_group_retention_policy_specific_days_enabled alert on AWS managed log group HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from prowler.