Control: IAM administrator users should have MFA enabled
Description
Manage access to resources in the AWS Cloud by ensuring MFA is enabled for users with administrative privileges.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_user_with_administrator_access_mfa_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_user_with_administrator_access_mfa_enabled --shareSQL
This control uses a named query:
with admin_users as ( select user_id, name, attachments from aws_iam_user, jsonb_array_elements_text(attached_policy_arns) as attachments where split_part(attachments, '/', 2) = 'AdministratorAccess')select u.arn as resource, case when au.user_id is null then 'skip' when au.user_id is not null and u.mfa_enabled then 'ok' else 'alarm' end as status, case when au.user_id is null then u.name || ' does not have administrator access.' when au.user_id is not null and u.mfa_enabled then u.name || ' has MFA token enabled.' else u.name || ' has MFA token disabled.' end as reason , u.region, u.account_idfrom aws_iam_user as u left join admin_users au on u.user_id = au.user_idorder by u.name;