turbot/aws_compliance

Query: iam_root_user_hardware_mfa_enabled

Usage

powerpipe query aws_compliance.query.iam_root_user_hardware_mfa_enabled

SQL

select
'arn:' || s.partition || ':::' || s.account_id as resource,
case
when account_mfa_enabled
and serial_number is null then 'ok'
else 'alarm'
end status,
case
when account_mfa_enabled = false then 'MFA not enabled for root account.'
when serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'
else 'Hardware MFA device enabled for root account.'
end reason,
s.account_id
from
aws_iam_account_summary as s
left join aws_iam_virtual_mfa_device on serial_number = 'arn:' || s.partition || ':iam::' || s.account_id || ':mfa/root-account-mfa-device';

Controls

The query is being used by the following controls: