Production credentials restricted with MFA and audit

ab-001264 · environment-security.secrets-management.prod-access-restricted

Severity: mediumactive

Why it matters

Production credentials accessible without MFA mean a single compromised developer account — through phishing, credential stuffing, or a breached password manager — gives an attacker full access to modify environment variables, redeploy the application, or exfiltrate secrets. OWASP A07 (Identification & Authentication Failures) and NIST IA-3 both require strong authentication for administrative access. Without audit trails (NIST AU-2), you cannot determine whether a production credential was accessed after a breach, making incident response blind. Many insurance and compliance frameworks now require MFA for any system with access to production credentials.

Severity rationale

Medium because MFA absence on production access is a single-factor authentication failure that allows credential stuffing or phishing to fully compromise production environments.

Remediation

Enable MFA enforcement at the platform level — individual developer settings are insufficient because they can be disabled. Also enable audit logging so any access to production environment variables is recorded.

Vercel: Team → Settings → Security → Require two-factor authentication Netlify: Team → Security → Enforce multi-factor authentication AWS IAM: Attach a policy requiring MFA before any production action:

aws iam create-policy \
  --policy-name RequireMFAForProd \
  --policy-document file://src/config/iam-mfa-policy.json

Review access logs monthly. For AWS, CloudTrail provides a full record of who accessed or changed secrets and when.

Detection

ID: prod-access-restricted
Severity: medium
What to look for: Check access control settings for production environment in your deployment platform (Vercel, Netlify, AWS, etc.). Look for evidence of MFA (multi-factor authentication) being enforced for production access. Check if access logs or audit trails are available.
Pass criteria: Count all production access control mechanisms in place. Production environment access requires MFA with at least 100% of admin accounts enforced. Access to production credentials is logged and audited. Only authorized personnel can deploy or modify production environment variables.
Cross-reference: For secrets manager audit logging, see the secrets-audit-logged check in the Access & Audit category.
Fail criteria: Production environment is accessible without MFA, or access is not logged.
Skip (N/A) when: The project has no production environment or is a personal hobby project.
Detail on fail: "Production environment on Vercel has no MFA enforcement" or "No audit trail visible for production credential access".
Remediation: Enable MFA for your deployment platform:

Vercel: Team → Settings → Security → Require MFA Netlify: Team → Security → Enforce multi-factor authentication AWS: IAM → Enable MFA device for all production users

Set up audit logging to track who accesses and modifies environment variables. Review logs monthly for suspicious activity:
```
# AWS — enforce MFA via IAM policy
aws iam create-policy --policy-name RequireMFA --policy-document file://src/config/mfa-policy.json
```

External references

cwe · CWE-308 — Use of Single-factor Authentication
owasp:2021 · A07 — Identification and Authentication Failures
nist:rev5 · IA-3 — Device Identification and Authentication
nist:rev5 · AU-2 — Event Logging

Taxons

access-control observability

History

2026-04-18·v1.0.0·Initial import from environment-security·automated

Why it matters

Remediation

aws iam create-policy \
  --policy-name RequireMFAForProd \
  --policy-document file://src/config/iam-mfa-policy.json

Review access logs monthly. For AWS, CloudTrail provides a full record of who accessed or changed secrets and when.

Detection

ID: prod-access-restricted
Severity: medium
What to look for: Check access control settings for production environment in your deployment platform (Vercel, Netlify, AWS, etc.). Look for evidence of MFA (multi-factor authentication) being enforced for production access. Check if access logs or audit trails are available.
Pass criteria: Count all production access control mechanisms in place. Production environment access requires MFA with at least 100% of admin accounts enforced. Access to production credentials is logged and audited. Only authorized personnel can deploy or modify production environment variables.
Cross-reference: For secrets manager audit logging, see the secrets-audit-logged check in the Access & Audit category.
Fail criteria: Production environment is accessible without MFA, or access is not logged.
Skip (N/A) when: The project has no production environment or is a personal hobby project.
Detail on fail: "Production environment on Vercel has no MFA enforcement" or "No audit trail visible for production credential access".
Remediation: Enable MFA for your deployment platform:

Vercel: Team → Settings → Security → Require MFA Netlify: Team → Security → Enforce multi-factor authentication AWS: IAM → Enable MFA device for all production users

Set up audit logging to track who accesses and modifies environment variables. Review logs monthly for suspicious activity:
```
# AWS — enforce MFA via IAM policy
aws iam create-policy --policy-name RequireMFA --policy-document file://src/config/mfa-policy.json
```