Query: iam_root_user_virtual_mfa

Usage

powerpipe query aws_top_10.query.iam_root_user_virtual_mfa

Steampipe Tables

aws_iam_account_summary

aws_iam_virtual_mfa_device

SQL

select
  'arn:' || s.partition || ':::' || s.account_id as resource,
  case
    when account_mfa_enabled and serial_number is not null then 'ok'
    else 'alarm'
  end status,
  case
    when account_mfa_enabled = false then 'MFA is not enabled for the root user.'
    when serial_number is null then 'MFA is enabled for the root user, but the MFA associated with the root user is a hardware device.'
    else 'Virtual MFA enabled for the root user.'
  end reason
  , s.account_id
from
  aws_iam_account_summary as s
  left join aws_iam_virtual_mfa_device on serial_number = 'arn:' || s.partition || ':iam::' || s.account_id || ':mfa/root-account-mfa-device';

Controls

The query is being used by the following controls:

IAM root user virtual MFA should be enabled