feat(aws): Add MFA flag if try to assume role in AWS (#2478)

Co-authored-by: Pepe Fagoaga <pepe@verica.io> Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2026-02-10 14:55:00 +00:00 · 2023-06-13 18:18:10 +03:00
parent 561459d93b
commit 707584b2ef
245 changed files with 470 additions and 25 deletions
--- a/docs/getting-started/requirements.md
+++ b/docs/getting-started/requirements.md
@@ -30,6 +30,13 @@ Those credentials must be associated to a user or role with proper permissions t

  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).

+### Multi-Factor Authentication
+
+If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
+
+- ARN of your MFA device
+- TOTP (Time-Based One-Time Password)
+
 ## Azure

 Prowler for azure supports the following authentication types:
--- a/docs/tutorials/aws/authentication.md
+++ b/docs/tutorials/aws/authentication.md
@@ -0,0 +1,31 @@
+# AWS Authentication
+
+Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
+
+```console
+aws configure
+```
+
+or
+
+```console
+export AWS_ACCESS_KEY_ID="ASXXXXXXX"
+export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
+export AWS_SESSION_TOKEN="XXXXXXXXX"
+```
+
+Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
+
+  - arn:aws:iam::aws:policy/SecurityAudit
+  - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
+
+  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
+
+  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
+
+## Multi-Factor Authentication
+
+If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
+
+- ARN of your MFA device
+- TOTP (Time-Based One-Time Password)
--- a/docs/tutorials/aws/role-assumption.md
+++ b/docs/tutorials/aws/role-assumption.md
@@ -5,7 +5,7 @@ Prowler uses the AWS SDK (Boto3) underneath so it uses the same authentication m
 However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on each use case:

 1. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `prowler aws -p/--profile your-custom-profile`.
- - An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`. 
+ - An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
 - Alternatively, you could use the `source_profile` instead of `credential_source` to specify a separate named profile that contains IAM user credentials with permission to assume the target the role. More information can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
 ```
 [profile crossaccountrole]
@@ -23,6 +23,13 @@ prowler aws -R arn:aws:iam::<account_id>:role/<role_name>
 prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>
 ```

+## Role MFA
+
+If your IAM Role has MFA configured you can use `--mfa` along with  `-R`/`--role <role_arn>` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided:
+- ARN of your MFA device
+- TOTP (Time-Based One-Time Password)
+
+
 ## Create Role

 To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it.