Production credentials restricted with MFA and audit

Why it matters

Production credentials accessible without MFA mean a single compromised developer account — through phishing, credential stuffing, or a breached password manager — gives an attacker full access to modify environment variables, redeploy the application, or exfiltrate secrets. OWASP A07 (Identification & Authentication Failures) and NIST IA-3 both require strong authentication for administrative access. Without audit trails (NIST AU-2), you cannot determine whether a production credential was accessed after a breach, making incident response blind. Many insurance and compliance frameworks now require MFA for any system with access to production credentials.

Remediation

Enable MFA enforcement at the platform level — individual developer settings are insufficient because they can be disabled. Also enable audit logging so any access to production environment variables is recorded.

Vercel: Team → Settings → Security → Require two-factor authentication Netlify: Team → Security → Enforce multi-factor authentication AWS IAM: Attach a policy requiring MFA before any production action:

aws iam create-policy \
  --policy-name RequireMFAForProd \
  --policy-document file://src/config/iam-mfa-policy.json

Review access logs monthly. For AWS, CloudTrail provides a full record of who accessed or changed secrets and when.

Detection

ID: environment-security.secrets-management.prod-access-restricted
Severity: medium
What to look for: Check access control settings for production environment in your deployment platform (Vercel, Netlify, AWS, etc.). Look for evidence of MFA (multi-factor authentication) being enforced for production access. Check if access logs or audit trails are available.
Pass criteria: Count all production access control mechanisms in place. Production environment access requires MFA with at least 100% of admin accounts enforced. Access to production credentials is logged and audited. Only authorized personnel can deploy or modify production environment variables.
Cross-reference: For secrets manager audit logging, see the secrets-audit-logged check in the Access & Audit category.
Fail criteria: Production environment is accessible without MFA, or access is not logged.
Skip (N/A) when: The project has no production environment or is a personal hobby project.
Detail on fail: "Production environment on Vercel has no MFA enforcement" or "No audit trail visible for production credential access".
Remediation: Enable MFA for your deployment platform:

Vercel: Team → Settings → Security → Require MFA Netlify: Team → Security → Enforce multi-factor authentication AWS: IAM → Enable MFA device for all production users

Set up audit logging to track who accesses and modifies environment variables. Review logs monthly for suspicious activity:
```
# AWS — enforce MFA via IAM policy
aws iam create-policy --policy-name RequireMFA --policy-document file://src/config/mfa-policy.json
```

Why it matters

Remediation

aws iam create-policy \
  --policy-name RequireMFAForProd \
  --policy-document file://src/config/iam-mfa-policy.json

Review access logs monthly. For AWS, CloudTrail provides a full record of who accessed or changed secrets and when.

Detection

ID: environment-security.secrets-management.prod-access-restricted
Severity: medium
What to look for: Check access control settings for production environment in your deployment platform (Vercel, Netlify, AWS, etc.). Look for evidence of MFA (multi-factor authentication) being enforced for production access. Check if access logs or audit trails are available.
Pass criteria: Count all production access control mechanisms in place. Production environment access requires MFA with at least 100% of admin accounts enforced. Access to production credentials is logged and audited. Only authorized personnel can deploy or modify production environment variables.
Cross-reference: For secrets manager audit logging, see the secrets-audit-logged check in the Access & Audit category.
Fail criteria: Production environment is accessible without MFA, or access is not logged.
Skip (N/A) when: The project has no production environment or is a personal hobby project.
Detail on fail: "Production environment on Vercel has no MFA enforcement" or "No audit trail visible for production credential access".
Remediation: Enable MFA for your deployment platform:

Vercel: Team → Settings → Security → Require MFA Netlify: Team → Security → Enforce multi-factor authentication AWS: IAM → Enable MFA device for all production users

Set up audit logging to track who accesses and modifies environment variables. Review logs monthly for suspicious activity:
```
# AWS — enforce MFA via IAM policy
aws iam create-policy --policy-name RequireMFA --policy-document file://src/config/mfa-policy.json
```

Production credentials restricted with MFA and audit

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Production credentials restricted with MFA and audit

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History