IAM MFA Audit #aws #ops

Number of APIs: 6

A simple collection to enforce the presence of MFA for human users in an AWS organization.

This is done as follows: 1. List all human users (users with console sign in access) 2. Stringify and save the acquired list of human users to an environment variable. 3. Using Qodex.setNextRequest, iterate over the list of users, maintaining an index environment variable to represent the current user being audited. 4. Fetch the MFA device details to determine the current MFA state for the current user. If MFA is disabled, fail a test and add the user's name to a separate list for users that do not have MFA enabled. 5. Compile the non-MFA list users to be sent to Slack as a daily report.

The following environment variables are required by this collection: | SNo | Variable | Description | Required | |-----|-------------------|------------------------------------------------------------------------------|----------| | 1 | id | The AWS Access Key ID | Yes | | 2 | key | The AWS Access Key Secret | Yes | | 3 | slackwebhookurl | The Slack webhook URL for sending Slack reports | Yes | | 4 | slackchannel | The # prefixed channel name to send Slack reports to | Yes | | 5 | slackusername | The username with which to send notifications. Defaults to aws-iam-audit-bot | No | | 6 | slackicon | The icon used for the Slack message. Defaults to :closedlockwithkey: | No |

Note: While creating the AWS access key and ID, ensure the following: 1. The access key id and secret are not associated with an account that has console login access. 2. The access key id and secret must be associated with a bot user that has the following permissions: { "Version": "2012-10-17", "Statement": [ { "Sid": "GrantUserCumMFAAccess", "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:ListMFADevices" ], "Resource": "*" } ] }

More reading: 1. To enforce MFA for your AWS accounts, see http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

  1. List Users GET https://iam.amazonaws.com?Action=ListUsers&Version=2010-05-08&MaxItems=1000

  2. Get User Login Profile GET https://iam.amazonaws.com?Action=GetLoginProfile&Version=2010-05-08&UserName={{user}}

  3. List User Access Keys GET https://iam.amazonaws.com?Action=ListAccessKeys&Version=2010-05-08&UserName={{user}}&MaxItems=1000

  4. List MFA Devices GET https://iam.amazonaws.com?Action=ListMFADevices&Version=2010-05-08&MaxItems=1000&UserName={{user}}

  5. Fetch usernames for non MFA users GET https://iam.amazonaws.com?Action=ListUserTags&Version=2010-05-08&MaxItems=1000&UserName={{user}}

  6. Send IAM MFA Audit report to Slack POST {{slack_url}}