IAM Users with Console Access Rule
This rule ensures IAM users with console access have MFA enabled for added security.
| Rule | IAM users with console access should have MFA enabled |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ High |
IAM users with console access should have MFA enabled for AWS Audit Manager Control Tower Guardrails
Overview
To enhance security within an AWS environment, it's a best practice to require Multi-Factor Authentication (MFA) for IAM users that have console access. AWS Audit Manager provides a way to automate the auditing of these practices against AWS Control Tower guardrails, ensuring compliance with security requirements.
Having MFA enabled is a strong defense against unauthorized access as it requires users to present two or more pieces of evidence (or factors) to gain access. It is typically something they know (password), something they have (security token), and/or something they are (biometrics).
Troubleshooting Steps
If MFA is not enabled for IAM users with console access, follow these steps.
Step 1: Identify Users without MFA
List all IAM users and check their MFA status using the AWS CLI:
aws iam list-users --query 'Users[].[UserName,UserId]' --output text
For each user listed, check if MFA devices are enabled:
aws iam list-mfa-devices --user-name <username>
Replace
<username>Step 2: Enable MFA for Users
Instruct users to enable MFA on their accounts or perform this action with sufficient permissions:
- 1.Go to the IAM dashboard in the AWS Management Console.
- 2.Select 'Users' and choose the user.
- 3.In the user's summary page, navigate to the 'Security credentials' tab.
- 4.In the Multi-factor authentication (MFA) section, click the 'Manage' button.
- 5.Choose the type of MFA device to enroll and complete the device setup.
Step 3: Enforce MFA using IAM Policy
Create an IAM policy that requires MFA and attach it to user roles or groups. Here is an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllActionsForUsersWithMFA",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "DenyAllActionsForUsersWithoutMFA",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Step 4: Verify Compliance with AWS Control Tower Guardrails
Check for compliance with AWS Control Tower guardrails using AWS Audit Manager:
- 1.Set up an assessment in AWS Audit Manager and select the appropriate framework that includes the MFA requirement.
- 2.Run the assessment report to see which users and resources are compliant.
Remediation
If Users Still Do Not Have MFA Enabled
If users have not enabled MFA despite the policy:
- 1.Send a communication to all IAM users detailing the importance of MFA and providing instructions on how to enable it.
- 2.Specify a deadline by which all IAM users must enable MFA.
If Policies Do Not Enforce MFA
If there is no IAM policy that enforces MFA:
- 1.Create a new IAM policy using the JSON provided in the above steps or update existing policies to include MFA conditions.
- 2.Attach the policy to all IAM roles and users requiring enforcement.
Conclusion
Enforcing MFA on IAM users with console access enhances the security posture of your AWS environment and helps maintain compliance with AWS Audit Manager Control Tower Guardrails. It is essential to monitor compliance regularly and take corrective actions as necessary. The steps outlined here should be incorporated into periodic security reviews and audit procedures.