standard
turbot/aws_compliance

Trigger: Detect & correct IAM root users with hardware MFA disabled

Detect IAM root users with hardware MFA disabled.

Query

select
concat('<root_account>', ' [', s.account_id, ']') as title,
s.account_id,
s.sp_connection_name as conn
from
aws_iam_account_summary as s
left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = concat('arn:', s.partition, ':iam::', s.account_id, ':root')
where
s.account_mfa_enabled = false
or d.serial_number is not null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/IAM