Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Hardware MFA should be enabled for the root user

This rule ensures that Hardware MFA is enabled for the root user.

RuleHardware MFA should be enabled for the root user
FrameworkAWS Foundational Security Best Practices
Severity
Critical

Description

Enabling hardware Multi-Factor Authentication (MFA) for the root user is a crucial security practice in Amazon Web Services (AWS) to protect sensitive account information and resources. MFA adds an extra layer of security by requiring an additional authentication factor, in the form of a physical hardware device, in addition to the root user's password.

Troubleshooting Steps

1. Verify access to the root user

Ensure that you have access to the root user account for the AWS account in question. This is essential to enable hardware MFA for the root user.

2. Check hardware MFA device compatibility

Verify that the hardware MFA device you are planning to use is compatible with AWS. Most hardware MFA devices that support the Time-based One-Time Password (TOTP) open standard should work with AWS.

3. Validate correct device setup

Ensure that the hardware MFA device is correctly set up and synchronized with the AWS root user account. Follow the device-specific instructions to configure it properly.

4. Confirm AWS MFA virtual device is disabled

If you have previously configured a virtual MFA device for the root user, disable it before enabling the hardware MFA. Having multiple MFA devices simultaneously enabled for the same user can cause issues.

Necessary Codes

No specific codes are required for this rule. Instead, the process involves using AWS Management Console commands and configurations.

Step-by-step Guide

Follow these steps to enable hardware MFA for the root user in AWS:

Step 1: Access AWS Management Console

  1. 1.
    Go to the AWS Management Console at https://console.aws.amazon.com/.
  2. 2.
    Enter the root user's email or account ID and password to log in.

Step 2: Navigate to IAM service

  1. 1.
    Once you are logged in, navigate to the IAM service by typing "IAM" in the search bar at the top and selecting "IAM" from the results.

Step 3: Access the root user

  1. 1.
    In the IAM dashboard, click on "Users" from the left-hand side menu.
  2. 2.
    Find and click on the root user in the list of IAM users.

Step 4: Enable MFA for the root user

  1. 1.
    In the root user details page, scroll down to the "Security credentials" section.
  2. 2.
    Click on the "Manage" button next to "Assigned MFA device".
  3. 3.
    Select the "A hardware MFA device" option and click "Continue".
  4. 4.
    Follow the on-screen instructions to scan the QR code or manually enter the MFA device details.
  5. 5.
    Once the MFA device is added, sign out from the root user account.

Step 5: Test MFA setup

  1. 1.
    Log in to the AWS Management Console using the root user's email or account ID.
  2. 2.
    Enter the password and provide the authentication code generated by the hardware MFA device when prompted.
  3. 3.
    If the login is successful, the MFA setup is complete.

Conclusion

Enabling hardware MFA for the root user enhances the security of your AWS account as it ensures the root user must possess both the password and the physical MFA device to gain access. This reduces the risk of unauthorized access, protecting your account and resources from potential security breaches.

Is your System Free of Underlying Vulnerabilities?
Find Out Now