ASL false-postive for plugins/aws/iam/usersMfaEnabled.js

[jfortier]

trafficstars

Hey all,

I'm getting a false-positive result for plugin usersMfaEnabled, where users in AWS with no console password, are getting flagged for not having MFA enabled. This is contrary to plugins stated behaviour and logic in the run function.

              // Skip root user and users without passwords
              // since they won't be logging into the console
              if (obj.user === '<root_account>') continue;
              if (!obj.password_enabled) continue;

It seems disabling the asl key in the plugin returns proper results, as I noticed that was not in the 2.0 release. Does the ASL feature completely bypasses the run function? Is this the intended logic of this feature? Is there documentation on how the ASL key is supposed to be used?

Just getting familiar with Cloudsploit and trying to build my own compliance policy, maybe I should I be dong my work using the 2.0 release instead of master?