Skip to content

Commit

Permalink
fix: better root mfa detection
Browse files Browse the repository at this point in the history
  • Loading branch information
@ekristen
ekristen committed Dec 29, 2023
1 parent 2276150 commit cd21b0f
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions resources/iam-virtual-mfa-devices.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package resources

import (
"errors"
"fmt"
"github.com/aws/smithy-go/ptr"
"strings"

"github.com/aws/aws-sdk-go/aws"
Expand All @@ -12,6 +14,8 @@ import (

type IAMVirtualMFADevice struct {
svc iamiface.IAMAPI
userId *string
userArn *string
userName string
serialNumber string
}
Expand All @@ -32,6 +36,8 @@ func ListIAMVirtualMFADevices(sess *session.Session) ([]Resource, error) {
for _, out := range resp.VirtualMFADevices {
resources = append(resources, &IAMVirtualMFADevice{
svc: svc,
userId: out.User.UserId,
userArn: out.User.Arn,
userName: *out.User.UserName,
serialNumber: *out.SerialNumber,
})
Expand All @@ -41,9 +47,18 @@ func ListIAMVirtualMFADevices(sess *session.Session) ([]Resource, error) {
}

func (v *IAMVirtualMFADevice) Filter() error {
isRoot := false
if ptr.ToString(v.userArn) == fmt.Sprintf("arn:aws:iam::%s:root", ptr.ToString(v.userId)) {
isRoot = true
}
if strings.HasSuffix(v.serialNumber, "/root-account-mfa-device") {
isRoot = true
}

if isRoot {
return errors.New("cannot delete root mfa device")
}

return nil
}

Expand Down

0 comments on commit cd21b0f

Please sign in to comment.