id: iam-mfa-enable
info:
  name: MFA not enabled for AWS IAM Console User
  author: princechaddha
  severity: high
  description: |
    Verifies that Multi-Factor Authentication (MFA) is enabled for all IAM users with console access in AWS
  reference:
    - https://docs.aws.amazon.com/cli/latest/reference/iam/list-mfa-devices.html
  metadata:
    max-request: 2
  tags: cloud,devops,aws,amazon,iam,aws-cloud-config

flow: |
  code(1)
  for(let UserName of iterate(template.users)){
    set("user", UserName)
    code(2)
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws iam list-users --query 'Users[*].UserName'

    extractors:
      - type: json # type of the extractor
        internal: true
        name: users
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
         aws iam list-mfa-devices --user-name $user --query 'MFADevices'

    matchers:
      - type: word
        words:
          - "[]"

    extractors:
      - type: dsl
        dsl:
          - '"MFA is no enabled for IAM User " + user'
# digest: 4a0a004730450221008072a04e0f68ee2345d1bfeee304675bc22468a061fd9fa3fbed31279e399640022057efc7bfe58fc41c86be4cfdc0870e4d998282ff71b6d70a3da557cb67cd2d09:922c64590222798bb761d5b6d8e72950