IAM Groups should have MFA enforcement activated.
Default Severity: medium
Explanation
IAM user accounts should be protected with multi factor authentication to add safe guards to password compromise.
Possible Impact
User accounts are more vulnerable to compromise without multi factor authentication activated
Suggested Resolution
Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced
Insecure Example
The following example will fail the aws-iam-enforce-mfa check.
data aws_caller_identity current {}
resource aws_iam_group developers {
name = "developers"
}
Secure Example
The following example will pass the aws-iam-enforce-mfa check.
resource "aws_iam_group" "support" {
name = "support"
}
resource aws_iam_group_policy mfa {
group = aws_iam_group.support.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": ["true"]
}
}
}
]
}
EOF
}