Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
1Dashboards
78Benchmarks
40Queries
2Variables
GitHub

Control: 1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password

Description

Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user logs on to Alibaba Cloud, they will be prompted for their user name and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all users that have a console password.

Remediation

From Console

Perform the following to determine if an MFA device is enabled for all RAM users having a console password:

  1. Logon to RAM console.
  2. Choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of each RAM user.
  4. In the Console Logon Management section, click Modify Logon Settings.
  5. Select Enabled for Console Password Logon, and Required for Enable MFA.
  • Note: After you select Enabled for Console Password Logon, and Required for Enable MFA when modifying the logon settings of a RAM user, the user can go to step 7 when logging on to the RAM console for the first time.
  1. In the MFA Device section, click Enable the device.
  2. Download and install Google Authenticator on your mobile phone.
    • For iOS: Install Google Authenticator from the App Store.
    • For Android: Install Google Authenticator from the Google Play Store.
  • Note: You need to install a QR code scanner from the Google Play Store for Google Authenticator to identify QR codes.
  1. Open Google Authenticator and tap BEGIN SETUP.
    • Tap Scan barcode and scan the QR code displayed on the Scan the code tab in the console.
    • Tap Manual entry, enter the username and key, and then tap the check mark (√) icon.
  • Note: You can obtain the username and key from the Retrieval manually enter information tab in the console.
  1. On the Scan the code tab, enter the two consecutive security codes obtained from Google Authenticator and click Enable.
  • Note: The security code is refreshed at an interval of 30 seconds.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_1_4 --share

SQL

This control uses a named query:

select
  'acs:ram::' || account_id || ':user/' || user_name as resource,
  case
    when password_exist and not mfa_active then 'alarm'
    else 'ok'
  end as status,
  case
    when not password_exist then user_name || ' password login disabled.'
    when password_exist and not mfa_active then user_name || ' password login enabled but no MFA device configured.'
    else user_name || ' password login enabled and MFA device configured.'
  end as reason
  , account_id as account_id
from
  alicloud_ram_credential_report;

Tags

category = Compliance
cis = true
cis_item_id = 1.4
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/RAM