turbot/oci_compliance

Control: 1.7 Ensure MFA is enabled for all users with a console password

Description

Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user’s identity.

With MFA enabled in the IAM service, when a user signs in to Oracle Cloud Infrastructure, they are prompted for their user name and password, which is the first factor (something that they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process.

OCI IAM supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).

See OCI documentation for more details.

Remediation

Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user but can enforce MFA by identifying the list of non-complaint users, notifying them or disabling access by resetting password for non-complaint accounts.

Disabling access from Console:

  1. Login to OCI console.
  2. Select Identity from Services menu.
  3. Select Users from Identity menu.
  4. Click on each non-complaint user.
  5. Click on Create/Reset Password.

From Command Line

Execute the following:

oci iam user ui-password create-or-reset --user-id <OCID of the non-compliant user>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_1_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_1_7 --share

SQL

This control uses a named query:

identity_user_console_access_mfa_enabled

Tags