Lack of multi-factor authentication

Need

Ensure IAM policies enforce Multi-Factor Authentication (MFA) to prevent unauthorized access and privilege escalation.

Context

• AWS CloudFormation used for defining IAM policies

• Multi-Factor Authentication (MFA) is essential for secure access control

Description

1. Non compliant code

Resources:
  InsecureIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
              AWS: arn:aws:iam::123456789012:user/ExampleUser...

This CloudFormation template defines an IAM role and policy that grants permissions without requiring MFA. The policy allows all actions (`Action: "*"`) without checking if MFA is enabled, making it vulnerable to credential theft.

2. Steps

• Add an IAM policy condition to deny access without MFA

• Require MFA for IAM users and roles

• Test authentication flows to verify MFA enforcement

3. Secure code example

Resources:
  SecurePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Deny
            Resource: "*"...

This version enforces MFA by **denying access to users who have not authenticated with MFA** using the condition `aws:MultiFactorAuthPresent: false`.

References

• 081. Lack of multi-factor authentication

On this page