Root Account Should Have MFA and External ID Set

More Info:

This rule identifies IAM roles that do not require multi-factor authentication (MFA) or external ID for assumed roles. Roles without MFA or external ID can pose security risks, as they may allow unauthorized access or increase the attack surface for potential breaches. Enforcing MFA and external ID requirements adds an additional layer of security to IAM roles and helps prevent unauthorized access.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent the misconfiguration where the root account should have Multi-Factor Authentication (MFA) and an External ID set in AWS Identity and Access Management (IAM) using AWS CLI, follow these steps:

Enable MFA on the Root Account:
- First, list the MFA devices associated with the root account to ensure none are already configured:
  aws iam list-mfa-devices --user-name root
- If no MFA devices are listed, you can enable MFA by creating a virtual MFA device and associating it with the root account. First, create the virtual MFA device:
  aws iam create-virtual-mfa-device --virtual-mfa-device-name root-account-mfa --outfile /path/to/root-account-mfa.png
- Then, enable the MFA device for the root account. You will need the authentication codes from the virtual MFA device:
  aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::account-id:mfa/root-account-mfa --authentication-code1 123456 --authentication-code2 654321

Set an External ID for IAM Roles:

Identify the IAM role that requires an external ID. List the roles to find the specific role:
```
aws iam list-roles
```
Update the trust policy of the IAM role to include an external ID. First, get the current trust policy:
```
aws iam get-role --role-name YourRoleName
```

Modify the trust policy JSON to include the sts:ExternalId condition. Here is an example of a trust policy with an external ID:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::account-id:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YourExternalID"
        }
      }
    }
  ]
}

Update the role with the modified trust policy:

aws iam update-assume-role-policy --role-name YourRoleName --policy-document file://path/to/modified-trust-policy.json

Verify MFA and External ID Configuration:
- Verify that the MFA device is enabled for the root account:
  aws iam list-mfa-devices --user-name root
- Verify the trust policy of the IAM role to ensure the external ID is set correctly:
  aws iam get-role --role-name YourRoleName

Automate Checks Using AWS CLI Scripts:

Create a script to periodically check and ensure that MFA is enabled and the external ID is set. Here is a simple example in Bash:

#!/bin/bash

# Check MFA for root account
MFA_DEVICES=$(aws iam list-mfa-devices --user-name root)
if [ -z "$MFA_DEVICES" ]; then
  echo "MFA is not enabled for the root account."
else
  echo "MFA is enabled for the root account."
fi

# Check External ID for a specific role
ROLE_NAME="YourRoleName"
TRUST_POLICY=$(aws iam get-role --role-name $ROLE_NAME)
if echo $TRUST_POLICY | grep -q "sts:ExternalId"; then
  echo "External ID is set for the role $ROLE_NAME."
else
  echo "External ID is not set for the role $ROLE_NAME."
fi

By following these steps, you can ensure that the root account has MFA enabled and that IAM roles have an external ID set, thereby preventing the misconfiguration using AWS CLI.

Using Python

To prevent the misconfiguration where the root account should have Multi-Factor Authentication (MFA) and an External ID set in IAM using Python scripts, you can follow these steps:

1. Install Required Libraries

Ensure you have the necessary libraries installed. You will need boto3 for AWS, azure-identity and azure-mgmt-resource for Azure, and google-auth and google-api-python-client for GCP.

pip install boto3 azure-identity azure-mgmt-resource google-auth google-api-python-client

2. AWS: Enforce MFA on Root Account

import boto3

def enforce_mfa_on_root():
    iam_client = boto3.client('iam')
    
    # List MFA devices for the root account
    mfa_devices = iam_client.list_mfa_devices(UserName='root')
    
    if not mfa_devices['MFADevices']:
        print("Root account does not have MFA enabled. Please enable MFA.")
    else:
        print("Root account has MFA enabled.")

enforce_mfa_on_root()

3. Azure: Enforce MFA on Root Account

Azure does not have a direct equivalent of a “root” account, but you can enforce MFA for all users in the directory.

from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient

def enforce_mfa_on_root():
    credential = DefaultAzureCredential()
    client = ResourceManagementClient(credential, '<subscription_id>')
    
    # This is a placeholder for enforcing MFA. Azure AD Conditional Access policies should be used.
    print("Ensure that Conditional Access policies enforce MFA for all users.")

enforce_mfa_on_root()

4. GCP: Enforce MFA on Root Account

GCP also does not have a direct equivalent of a “root” account, but you can enforce MFA for all users in the organization.

from google.oauth2 import service_account
from googleapiclient.discovery import build

def enforce_mfa_on_root():
    credentials = service_account.Credentials.from_service_account_file('path/to/your/service-account-file.json')
    service = build('admin', 'directory_v1', credentials=credentials)
    
    # This is a placeholder for enforcing MFA. GCP Identity Platform should be used.
    print("Ensure that Identity Platform enforces MFA for all users.")

enforce_mfa_on_root()

Summary

Install Required Libraries: Ensure you have the necessary Python libraries installed.
AWS: Use boto3 to check and enforce MFA on the root account.
Azure: Use azure-identity and azure-mgmt-resource to ensure Conditional Access policies enforce MFA.
GCP: Use google-auth and google-api-python-client to ensure Identity Platform enforces MFA.

These scripts provide a basic framework to check and enforce MFA on root accounts or equivalent in AWS, Azure, and GCP. For a complete solution, you would need to integrate these checks into your CI/CD pipeline or monitoring system.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Root Account Should Have MFA and External ID Set

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

1. Install Required Libraries

2. AWS: Enforce MFA on Root Account

3. Azure: Enforce MFA on Root Account

4. GCP: Enforce MFA on Root Account

Summary

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent