Authentication without MFA

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Authentication without MFA

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: eee107f9-b3d8-45d3-b9c6-43b5a7263ce1

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Access Control

Learn More

Provider Reference

Description

Assume-role operations should require multi-factor authentication (MFA) to provide a second authentication factor and reduce the risk that compromised credentials or automated workflows can silently assume privileged roles.

In Ansible, tasks using the amazon.aws.sts_assume_role or sts_assume_role modules must define both mfa_serial_number (the IAM MFA device ARN or serial) and mfa_token (the one-time MFA code). Tasks missing either property or with those properties undefined are flagged.

Supply mfa_token securely at runtime (for example via Ansible Vault, environment variables, or an interactive prompt) and ensure mfa_serial_number references the correct MFA device ARN (for example, arn:aws:iam::123456789012:mfa/username).

Compliant Code Examples

- name: Assume an existing role
  amazon.aws.sts_assume_role:
    mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
    mfa_token: weewew
    role_arn: arn:aws:iam::123456789012:role/someRole
    role_session_name: someRoleSession
  register: assumed_role

- name: Hello
  sts_assume_role:
    mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}'
    mfa_token: weewew
    role_arn: arn:aws:iam::123456789012:role/someRole
    role_session_name: someRoleSession
  register: assumed_role

Non-Compliant Code Examples

- name: Assume an existing role
  amazon.aws.sts_assume_role:
    mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}"
    role_arn: "arn:aws:iam::123456789012:role/someRole"
    role_session_name: "someRoleSession"
  register: assumed_role

- name: Hello
  sts_assume_role:
    role_arn: "arn:aws:iam::123456789012:role/someRole"
    role_session_name: "someRoleSession"
  register: assumed_role