Policy Packs
Enforce MFA Is Enabled for AWS IAM Users

Policy Setting: AWS > IAM > User > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_iam_user_approved_custom" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-iam#/policy/types/userApprovedCustom"
template_input = <<-EOT
- |
{
account {
turbot {
id
}
}
}
- |
{
user {
UserName: get(path: "UserName")
}
resources(filter:"resourceTypeId:'tmod:@turbot/aws-iam#/resource/types/mfaVirtual' resourceId: {{ $.account.turbot.id }} resourceTypeLevel:self") {
items {
userName: get(path:"User.UserName")
}
}
}
EOT
template = <<-EOT
{%- set hasMfa = false -%}
{%- for mfa in $.resources.items -%}
{%- if mfa.userName == $.user.UserName -%}
{%- set hasMfa = true -%}
{%- endif -%}
{%- endfor -%}
{%- if hasMfa -%}
{%- set data = {
"title": "MFA",
"result": "Approved",
"message": "User has MFA enabled"
} -%}
{%- elif not hasMfa and $.resources.items | length > 0 -%}
{%- set data = {
"title": "MFA",
"result": "Not approved",
"message": "User does not have MFA enabled"
} -%}
{%- else -%}
{%- set data = {
"title": "MFA",
"result": "Skip",
"message": "No data for MFA yet"
} -%}
{%- endif -%}
{{ data | json }}
EOT
}