Ensure multi-factor authentication is enabled for IAM users with console password.
Rule | MFA should be enabled for all IAM users that have a console password |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Medium |
MFA (Multi-Factor Authentication) Policy for IAM Users in AWS
Rule Description
In order to enhance the security of your AWS resources, it is recommended to enable Multi-Factor Authentication (MFA) for all AWS Identity and Access Management (IAM) users who have console passwords. This policy aligns with the AWS Foundational Security Best Practices and ensures an additional layer of protection against unauthorized access to your AWS environment.
Troubleshooting Steps
If you encounter any issues while implementing MFA for IAM users, follow these troubleshooting steps:
Necessary Code
No specific code is required for this policy as it is primarily a configuration and security best practice.
Remediation Steps
To enable MFA for IAM users who have a console password, follow these step-by-step instructions:
Log in to the AWS Management Console using your root account or an IAM user with administrative privileges.
Open the IAM console by navigating to the IAM service.
In the left navigation pane, click on "Users" to view a list of all IAM users.
Locate the IAM user for which you want to enable MFA and select the user by clicking on their username.
In the "Security credentials" tab, scroll down to the "Multi-factor authentication (MFA)" section and click on the "Manage" button.
On the next screen, click on the "Assign MFA device" button.
Choose the type of MFA device the user will be using. Options include a "Virtual MFA device" (such as Google Authenticator) or a "Hardware MFA device" (such as a physical hardware token).
Follow the on-screen instructions to configure the chosen MFA device for the user. This typically involves scanning a barcode or entering a secret key provided by the MFA device.
Once the MFA device is configured, click on "Assign" to complete the process.
The user will now be prompted to provide the MFA code generated by their configured device every time they log in to the AWS Management Console.
CLI Command for Automation (Optional)
If you prefer using the AWS Command Line Interface (CLI) for automation purposes, the following CLI command can be used to enable MFA for an IAM user:
aws iam enable-mfa-device --user-name <IAM_USER_NAME> --authentication-code1 <FIRST_AUTH_CODE> --authentication-code2 <SECOND_AUTH_CODE>
Replace
<IAM_USER_NAME>
with the desired IAM user's username and <FIRST_AUTH_CODE>
and <SECOND_AUTH_CODE>
with the two MFA codes generated by the configured device.Note: Ensure that you have the necessary permissions to execute this command.
Conclusion
Enabling MFA for IAM users with console passwords is an essential security best practice to protect your AWS resources. By following the step-by-step guide provided above, you can easily implement this policy and enhance the overall security of your AWS environment.