turbot/aws_compliance

acm_certificate_expires_30_daysapigateway_rest_api_stage_use_ssl_certificateapigateway_stage_cache_encryption_at_rest_enabledapigateway_stage_logging_enabledautoscaling_group_with_lb_use_health_checkcloudfront_distribution_configured_with_origin_failovercloudfront_distribution_default_root_object_configuredcloudfront_distribution_encryption_in_transit_enabledcloudfront_distribution_origin_access_identity_enabledcloudtrail_bucket_not_publiccloudtrail_enabled_all_regionscloudtrail_multi_region_trail_enabledcloudtrail_s3_data_events_enabledcloudtrail_s3_logging_enabledcloudtrail_s3_object_read_events_audit_enabledcloudtrail_s3_object_write_events_audit_enabledcloudtrail_security_trail_enabledcloudtrail_trail_enabledcloudtrail_trail_integrated_with_logscloudtrail_trail_logs_encrypted_with_kms_cmkcloudtrail_trail_validation_enabledcloudwatch_alarm_action_enabledcloudwatch_log_group_retention_period_365codebuild_project_plaintext_env_variables_no_sensitive_aws_valuescodebuild_project_source_repo_oauth_configuredconfig_enabled_all_regionsdax_cluster_encryption_at_rest_enableddms_replication_instance_not_publicly_accessibledynamodb_table_auto_scaling_enableddynamodb_table_encrypted_with_kms_cmkdynamodb_table_in_backup_plandynamodb_table_point_in_time_recovery_enabledebs_attached_volume_delete_on_termination_enabledebs_attached_volume_encryption_enabledebs_snapshot_not_publicly_restorableebs_volume_encryption_at_rest_enabledebs_volume_in_backup_planec2_ebs_default_encryption_enabledec2_instance_detailed_monitoring_enabledec2_instance_ebs_optimizedec2_instance_in_vpcec2_instance_not_publicly_accessibleec2_instance_ssm_managedec2_instance_termination_protection_enabledec2_instance_uses_imdsv2ec2_stopped_instance_30_daysefs_file_system_automatic_backups_enabledefs_file_system_encrypt_data_at_restelasticache_redis_cluster_automatic_backup_retention_15_dayselb_application_classic_lb_logging_enabledelb_application_lb_deletion_protection_enabledelb_application_lb_drop_http_headerselb_application_lb_redirect_http_request_to_httpselb_application_lb_waf_enabledelb_classic_lb_cross_zone_load_balancing_enabledelb_classic_lb_use_ssl_certificateelb_classic_lb_use_tls_https_listenersemr_cluster_kerberos_enabledemr_cluster_master_nodes_no_public_ipes_domain_encryption_at_rest_enabledes_domain_in_vpces_domain_node_to_node_encryption_enabledguardduty_enabledguardduty_finding_archivediam_access_analyzer_enablediam_account_password_policy_min_length_14iam_account_password_policy_reuse_24iam_account_password_policy_strongiam_account_password_policy_strong_min_length_8iam_account_password_policy_strong_min_reuse_24iam_group_not_emptyiam_group_user_role_no_inline_policiesiam_policy_no_star_stariam_root_last_usediam_root_user_hardware_mfa_enablediam_root_user_mfa_enablediam_root_user_no_access_keysiam_root_user_virtual_mfaiam_server_certificate_not_expirediam_support_roleiam_user_access_key_age_90iam_user_access_keys_and_password_at_setupiam_user_console_access_mfa_enablediam_user_in_groupiam_user_mfa_enablediam_user_no_inline_attached_policiesiam_user_one_active_keyiam_user_unused_credentials_45iam_user_unused_credentials_90kms_cmk_rotation_enabledkms_key_decryption_restricted_in_iam_customer_managed_policykms_key_decryption_restricted_in_iam_inline_policykms_key_not_pending_deletionlambda_function_dead_letter_queue_configuredlambda_function_in_vpclambda_function_restrict_public_accesslambda_function_use_latest_runtimelog_group_encryption_at_rest_enabledlog_metric_filter_bucket_policylog_metric_filter_cloudtrail_configurationlog_metric_filter_config_configurationlog_metric_filter_console_authentication_failurelog_metric_filter_console_login_mfalog_metric_filter_disable_or_delete_cmklog_metric_filter_iam_policylog_metric_filter_network_acllog_metric_filter_network_gatewaylog_metric_filter_organizationlog_metric_filter_root_loginlog_metric_filter_route_tablelog_metric_filter_security_grouplog_metric_filter_unauthorized_apilog_metric_filter_vpcmanual_controlrds_db_cluster_aurora_backtracking_enabledrds_db_cluster_deletion_protection_enabledrds_db_cluster_iam_authentication_enabledrds_db_instance_and_cluster_enhanced_monitoring_enabledrds_db_instance_automatic_minor_version_upgrade_enabledrds_db_instance_backup_enabledrds_db_instance_deletion_protection_enabledrds_db_instance_encryption_at_rest_enabledrds_db_instance_iam_authentication_enabledrds_db_instance_in_backup_planrds_db_instance_logging_enabledrds_db_instance_multiple_az_enabledrds_db_instance_prohibit_public_accessrds_db_snapshot_encrypted_at_restrds_db_snapshot_prohibit_public_accessredshift_cluster_automatic_snapshots_min_7_daysredshift_cluster_automatic_upgrade_major_versions_enabledredshift_cluster_encryption_in_transit_enabledredshift_cluster_encryption_logging_enabledredshift_cluster_enhanced_vpc_routing_enabledredshift_cluster_prohibit_public_accesss3_bucket_cross_region_replication_enableds3_bucket_default_encryption_enableds3_bucket_enforces_ssls3_bucket_logging_enableds3_bucket_mfa_delete_enableds3_bucket_object_lock_enableds3_bucket_policy_restricts_cross_account_permission_changess3_bucket_public_access_blockeds3_bucket_restrict_public_read_accesss3_bucket_restrict_public_write_accesss3_bucket_versioning_enableds3_public_access_block_accounts3_public_access_block_bucket_accountsagemaker_endpoint_configuration_encryption_at_rest_enabledsagemaker_notebook_instance_direct_internet_access_disabledsagemaker_notebook_instance_encryption_at_rest_enabledsecretsmanager_secret_automatic_rotation_enabledsecretsmanager_secret_automatic_rotation_lambda_enabledsecretsmanager_secret_last_used_1_daysecretsmanager_secret_rotated_as_scheduledsecurityhub_enabledsns_topic_encrypted_at_restssm_managed_instance_compliance_association_compliantssm_managed_instance_compliance_patch_compliantvpc_configured_to_use_vpc_endpointsvpc_default_security_group_restricts_all_trafficvpc_eip_associatedvpc_flow_logs_enabledvpc_igw_attached_to_authorized_vpcvpc_network_acl_remote_administrationvpc_security_group_associatedvpc_security_group_remote_administrationvpc_security_group_restrict_ingress_common_ports_allvpc_security_group_restrict_ingress_ssh_allvpc_security_group_restrict_ingress_tcp_udp_allvpc_vpn_tunnel_upwafv2_web_acl_logging_enabled

Query: iam_root_user_hardware_mfa_enabled

Usage

steampipe query aws_compliance.query.iam_root_user_hardware_mfa_enabled

SQL

select
-- Required Columns
'arn:' || s.partition || ':::' || s.account_id as resource,
case
when account_mfa_enabled and serial_number is null then 'ok'
else 'alarm'
end status,
case
when account_mfa_enabled = false then 'MFA not enabled for root account.'
when serial_number is not null then 'Virtual MFA device enabled the root account.'
else 'Hardware MFA device enabled for root account.'
end reason,
-- Additional Dimensions
s.account_id
from
aws_iam_account_summary as s
left join aws_iam_virtual_mfa_device on serial_number = 'arn:' || s.partition || ':iam::' || s.account_id || ':mfa/root-account-mfa-device'