v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 1.7 Ensure MFA is enabled for all users with a console password

Description

Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user’s identity.

With MFA enabled in the IAM service, when a user signs in to Oracle Cloud Infrastructure, they are prompted for their user name and password, which is the first factor (something that they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process.

OCI IAM supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).

See OCI documentation for more details.

Multi factor authentication adds an extra layer of security during the login process and makes it harder for unauthorized users to gain access to OCI resources.

Remediation

OCI IAM without Identity Domains

Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user but can enforce MFA by identifying the list of non-complaint users, notifying them or disabling access by resetting the password for non-complaint accounts.

Disabling access from Console:

  1. Go to https://cloud.oracle.com/identity/.
  2. Select Users from Identity menu.
  3. Click on each non-complaint user.
  4. Click on Create/Reset Password.

From CLI:

oci iam user ui-password create-or-reset --user-id <OCID of the non-compliant user>

OCI IAM with Identity Domains

Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user but can enforce MFA by identifying the list of non-complaint users, notifying them or disabling access by resetting the password for non-complaint accounts.

Disabling access from Console:

  1. Go to https://cloud.oracle.com/identity/.
  2. Select Domains from Identity menu.
  3. Select the domain.
  4. Click Security.
  5. Click Sign-on polices then the "Default Sign-on Policy".
  6. Under the sign-on rules header, click the three dots on the rule with the highest priority.
  7. Select Edit sign-on rule.
  8. Make a change to ensure that allow access is selected and prompt for an additional factor is enabled.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_7 --share

SQL

This control uses a named query:

identity_user_console_access_mfa_enabled

Tags

category = Compliance
cis = true
cis_item_id = 1.7
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity