#!/usr/bin/env bash # Prowler - the handy cloud security tool (c) by Toni de la Fuente # # This Prowler check is licensed under a # Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. # # You should have received a copy of the license along with this # work. If not, see . CHECK_ID_check12="1.2" CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" CHECK_SCORED_check12="SCORED" CHECK_TYPE_check12="LEVEL1" CHECK_SEVERITY_check12="High" CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ALTERNATE_check102="check12" CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1" CHECK_SERVICENAME_check12="iam" CHECK_RISK_check12='Unauthorized access to this critical account if password is not secure or it is disclosed in any way.' CHECK_REMEDIATION_check12='Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.' CHECK_DOC_check12='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html' CHECK_CAF_EPIC_check12='IAM' check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # List users with password enabled COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }') COMMAND12=$( for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }' done) if [[ $COMMAND12 ]]; then for u in $COMMAND12; do textFail "User $u has Password enabled but MFA disabled" done else textPass "No users found with Password enabled and MFA disabled" fi }