turbot/alicloud_compliance

Control: 1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password

Description

Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user logs on to Alibaba Cloud, they will be prompted for their user name and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all users that have a console password.

Remediation

From Console

Perform the following to determine if an MFA device is enabled for all RAM users having a console password:

  1. Logon to RAM console.
  2. Choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of each RAM user.
  4. In the Console Logon Management section, click Modify Logon Settings.
  5. Select Enabled for Console Password Logon, and Required for Enable MFA.
  • Note: After you select Enabled for Console Password Logon, and Required for Enable MFA when modifying the logon settings of a RAM user, the user can go to step 7 when logging on to the RAM console for the first time.
  1. In the MFA Device section, click Enable the device.
  2. Download and install Google Authenticator on your mobile phone.
    • For iOS: Install Google Authenticator from the App Store.
    • For Android: Install Google Authenticator from the Google Play Store.
  • Note: You need to install a QR code scanner from the Google Play Store for Google Authenticator to identify QR codes.
  1. Open Google Authenticator and tap BEGIN SETUP.
    • Tap Scan barcode and scan the QR code displayed on the Scan the code tab in the console.
    • Tap Manual entry, enter the username and key, and then tap the check mark (√) icon.
  • Note: You can obtain the username and key from the Retrieval manually enter information tab in the console.
  1. On the Scan the code tab, enter the two consecutive security codes obtained from Google Authenticator and click Enable.
  • Note: The security code is refreshed at an interval of 30 seconds.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_1_4 --share

SQL

This control uses a named query:

ram_user_console_access_mfa_enabled

Tags