prowler
prowler copied to clipboard
prowler-cloud
[Bug]: Users with console password disabled are failing iam_user_mfa_enabled_console_access check
What happened? I have a user with the console password disabled and this user is failing a check with "User prowler has Console Password enabled but MFA disabled".
How to reproduce it Steps to reproduce the behavior:
- Create an IAM user with the console password disabled and without MFA enabled.
- Run prowler
- Filter the results to
iamservice andiam_user_mfa_enabled_console_accesscheck.
Expected behavior A user with the console password disabled should not show as failing for this check.
Screenshots or Logs
IAM settings for user in AWS console:
Result for this check for this user:
From where are you running Prowler? Please, complete the following information:
- Resource: Docker container manually
- OS: Ubuntu 20.04
- Prowler Version [
./prowler --version]: 3.0.1 - Shell and version: bash 5.0.17(1)-release
Additional context
I see that in iam_user_mfa_enabled_console_access.py the code is checking that password_enabled does not equal not_supported to determine if the console password is enabled. I think what it should be doing instead is checking is user["password_enabled"] != "false". According to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html, for the password_enabled field, "When the user has a password, this value is TRUE. Otherwise it is FALSE.The value for the AWS account root user is always not_supported."
Thanks @chrismcgehee, we will give it a look as soon as we can and let you know.
Hi @chrismcgehee we have made some changes here, can you test it to check if everything works ok now ? https://github.com/prowler-cloud/prowler/pull/1634
