Need

Ensure IAM policies enforce Multi-Factor Authentication (MFA) to prevent unauthorized access and privilege escalation.

Context

• AWS CloudFormation used for defining IAM policies
• Multi-Factor Authentication (MFA) is essential for secure access control

Description

Non compliant code

        Resources:
  InsecureIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::123456789012:user/ExampleUser
            Action: sts:AssumeRole

  InsecurePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"

        
        

This CloudFormation template defines an IAM role and policy that grants permissions without requiring MFA. The policy allows all actions ( Action: "*") without checking if MFA is enabled, making it vulnerable to credential theft.

Steps

• Add an IAM policy condition to deny access without MFA
• Require MFA for IAM users and roles
• Test authentication flows to verify MFA enforcement

Compliant code

        Resources:
  SecurePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              BoolIfExists:
                aws:MultiFactorAuthPresent: false
          - Effect: Allow
            Action: "*"
            Resource: "*"

        
        

This version enforces MFA by **denying access to users who have not authenticated with MFA** using the condition aws:MultiFactorAuthPresent: false.

References

• 081. Lack of multi-factor authentication