# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|AWS|ComplianceCow||Check if given service:action definitions and conditions are implemented in the policy|

```
Purpose: The purpose of this rule is used to simulate the effect of AWS Identity and Access Management (IAM) policies on Multi-Factor Authentication (MFA) usage within an AWS environment. It helps administrators understand how IAM policies impact the requirement for users to authenticate using MFA when accessing AWS resources. This simulation aids in ensuring that MFA policies are correctly configured to enhance security by enforcing additional authentication factors for sensitive actions or resources.
```
```
RecomendedEvidenceName: MFAPolicySimulatorReport
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)


In [None]:
# AWS Example
  [
      {
        "identity_name": "test-user-one",
        "identity_type": "User",
        "mfa_present": true,
        "action_name": "ec2:StopInstances",
        "resource_name": "*",
        "decision": "explicitDeny",
        "source_policy_id": "Force_MFA",
        "source_policy_type": "IAM Policy",
        "recommendations": "None",
        "compliance_status": "true"
      }
  ]

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:iam::022654265366:user/test-user-one",
    "ResourceName":"test-user-one",
    "ResourceType":"AwsIamUser",
    "ResourceLocation":"global",
    "ResourceTags": null,
    "ResourceURL": "https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-one"

    # Data
    "Action": "ec2:StopInstances",
		"ActionResource": "*",
		"Decision": "implicitDeny",
		"MFAPresent": false,
		"SourcePolicyDeatils": null,

    # Compliance details
    "ValidationStatusCode": "ACT_NA",
		"ValidationStatusNotes": "Action not allowed implicitly denied",
		"ComplianceStatus": "COMPLIANT",
		"ComplianceStatusReason": "Action implicitly denied (no matching policy statements)",
		"EvaluatedTime": "2024-02-19T07:05:13.268Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ResourceURL|Action|ActionResource|Decision|MFAPresent|SourcePolicyDeatils|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-one|test-user-one|AwsIamUser|global|null|https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-one|ec2:StopInstances|*|implicitDeny|false|null|ACT_NA|Action not allowed implicitly denied|COMPLIANT|Action implicitly denied (no matching policy statements)|2024-02-19T07:05:13.268Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-two|test-user-two|AwsIamUser|global|null|https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-two|ec2:StopInstances|*|allowed|false|[{"SourcePolicyID": "AmazonEC2FullAccess","SourcePolicyType": "IAM Policy"}]|MFA_NE|MFA is not enforced|NON_COMPLIANT|Implement MFA check for IAM policy|2024-02-19T07:05:15.652Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-three|test-user-three|AwsIamUser|global|null|https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-three|ec2:StopInstances|*|explicitDeny|true|null|ACT_NA|Action not allowed explicitly denied|COMPLIANT|Action explicitly denied|2024-02-19T07:05:16.903Z

# Step 4: Describe the Compliance Taxonomy
|Decision|MFAPresent|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|---|---|
|allowed|true|MFA_E|MFA is enforced|COMPLIANT|MFA implemented in IAM policy|
|allowed|false|MFA_NE|MFA is not enforced|NON_COMPLIANT|Implement MFA check for IAM policy|
|implicitDeny|-|ACT_NA|Action not allowed implicitly denied|COMPLIANT|Action implicitly denied (no matching policy statements)|
|explicitDeny|-|ACT_NA|Action not allowed explicitly denied|COMPLIANT|Action explicitly denied|

# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

Review IAM policies to ensure they include necessary MFA requirements, such as the aws:MultiFactorAuthPresent condition key.
Utilize the MFAPolicySimulatorReport to simulate policy changes and verify correct enforcement of MFA.

# 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | AWSMFAPolicySimulatorReport   |
| **PreRequisiteRuleNames**  |AWSAccountAuthorizationDetails                               |
| **ApplicationClassName**   | AWSAppConnector               |