Lack of multi-factor authentication - Cloudformation

Need

Ensure IAM policies enforce Multi-Factor Authentication (MFA) to prevent unauthorized access and privilege escalation.

Context

1. AWS CloudFormation used for defining IAM policies
2. Multi-Factor Authentication (MFA) is essential for secure access control

Description

Insecure Code Example

Resources:
  InsecureIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::123456789012:user/ExampleUser
            Action: sts:AssumeRole

  InsecurePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"

This CloudFormation template defines an IAM role and policy that grants permissions without requiring MFA. The policy allows all actions (`Action: "*"`) without checking if MFA is enabled, making it vulnerable to credential theft.

Steps

1. Add an IAM policy condition to deny access without MFA
2. Require MFA for IAM users and roles
3. Test authentication flows to verify MFA enforcement

Secure Code Example

Resources:
  SecurePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              BoolIfExists:
                aws:MultiFactorAuthPresent: false
          - Effect: Allow
            Action: "*"
            Resource: "*"

This version enforces MFA by **denying access to users who have not authenticated with MFA** using the condition `aws:MultiFactorAuthPresent: false`.

References

Last updated

2025/04/03