fix(iam): update logic of Root Hardware MFA check (#4774)

Co-authored-by: Sergio <[email protected]>

Author: github-actions[bot]

prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py

@@ -15,9 +15,9 @@ def execute(self) -> Check_Report_AWS:
                 report.resource_arn = iam_client.mfa_arn_template
 
                 if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0:
-                    virtual_mfas = iam_client.virtual_mfa_devices
-                    for mfa in virtual_mfas:
-                        if "root" in mfa["SerialNumber"]:
+                    for mfa in iam_client.virtual_mfa_devices:
+                        # If the ARN of the associated IAM user of the Virtual MFA device is "arn:aws:iam::[aws-account-id]:root", your AWS root account is not using a hardware-based MFA device for MFA protection.
+                        if "root" in mfa.get("User", {}).get("Arn", ""):
                             virtual_mfa = True
                             report.status = "FAIL"
                             report.status_extended = "Root account has a virtual MFA instead of a hardware MFA device enabled."

tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py

@@ -1,9 +1,6 @@
 from re import search
 from unittest import mock
 
-from boto3 import client
-from moto import mock_aws
-
 from tests.providers.aws.audit_info_utils import (
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_US_EAST_1,
@@ -19,13 +16,20 @@ class Test_iam_root_hardware_mfa_enabled_test:
         set_mocked_aws_audit_info,
     )
 
-    @mock_aws
-    def test_root_hardware_virtual_mfa_enabled(self):
-        iam = client("iam")
-        mfa_device_name = "mfa-test"
-        iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name)
-
-        from prowler.providers.aws.services.iam.iam_service import IAM
+    def test_root_virtual_mfa_enabled(self):
+        iam_client = mock.MagicMock
+        iam_client.account_summary = {
+            "SummaryMap": {"AccountMFAEnabled": 1},
+        }
+        iam_client.virtual_mfa_devices = [
+            {
+                "SerialNumber": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa/mfa",
+                "User": {"Arn": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"},
+            }
+        ]
+        iam_client.audited_partition = "aws"
+        iam_client.region = AWS_REGION_US_EAST_1
+        iam_client.mfa_arn_template = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa"
 
         current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
 
@@ -34,15 +38,12 @@ def test_root_hardware_virtual_mfa_enabled(self):
             new=current_audit_info,
         ), mock.patch(
             "prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client",
-            new=IAM(current_audit_info),
-        ) as service_client:
+            new=iam_client,
+        ):
             from prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled import (
                 iam_root_hardware_mfa_enabled,
             )
 
-            service_client.account_summary["SummaryMap"]["AccountMFAEnabled"] = 1
-            service_client.virtual_mfa_devices[0]["SerialNumber"] = "sddfaf-root-sfsfds"
-
             check = iam_root_hardware_mfa_enabled()
             result = check.execute()
             assert result[0].status == "FAIL"
@@ -52,13 +53,15 @@ def test_root_hardware_virtual_mfa_enabled(self):
             )
             assert result[0].resource_id == "<root_account>"
 
-    @mock_aws
-    def test_root_hardware_virtual_hardware_mfa_enabled(self):
-        iam = client("iam")
-        mfa_device_name = "mfa-test"
-        iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name)
-
-        from prowler.providers.aws.services.iam.iam_service import IAM
+    def test_root_hardware_mfa_enabled(self):
+        iam_client = mock.MagicMock
+        iam_client.account_summary = {
+            "SummaryMap": {"AccountMFAEnabled": 1},
+        }
+        iam_client.virtual_mfa_devices = []
+        iam_client.audited_partition = "aws"
+        iam_client.region = AWS_REGION_US_EAST_1
+        iam_client.mfa_arn_template = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:mfa"
 
         current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
 
@@ -67,15 +70,12 @@ def test_root_hardware_virtual_hardware_mfa_enabled(self):
             new=current_audit_info,
         ), mock.patch(
             "prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client",
-            new=IAM(current_audit_info),
-        ) as service_client:
+            new=iam_client,
+        ):
             from prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled import (
                 iam_root_hardware_mfa_enabled,
             )
 
-            service_client.account_summary["SummaryMap"]["AccountMFAEnabled"] = 1
-            service_client.virtual_mfa_devices[0]["SerialNumber"] = ""
-
             check = iam_root_hardware_mfa_enabled()
             result = check.execute()
             assert result[0].status == "PASS"
@@ -84,7 +84,3 @@ def test_root_hardware_virtual_hardware_mfa_enabled(self):
                 result[0].status_extended,
             )
             assert result[0].resource_id == "<root_account>"
-            assert (
-                result[0].resource_arn
-                == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:mfa"
-            )