Rule: Ensure Multi-Factor Authentication (MFA) for IAM Users
This rule ensures MFA is enabled for all IAM users with console password.
| Rule | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
| Framework | cis_v130 |
| Severity | ✔ Medium |
Ensure Multi-Factor Authentication (MFA) is Enabled for All IAM Users with Console Access
Overview
Multi-Factor Authentication (MFA) in AWS adds an extra layer of security on top of the username and password. By enforcing MFA, users must provide additional verification, such as a code from a hardware token or SMS, to access AWS Management Console.
This rule addresses the requirement of the Center for Internet Security (CIS) AWS Foundations Benchmark version 1.3.0, which stipulates that all IAM users with a console login should enable MFA for enhanced security.
Troubleshooting Steps
If MFA is not enabled for IAM users with console access, it needs to be addressed promptly. Follow these steps to troubleshoot and remediate the issue:
Identify IAM Users Without MFA
- 1.Log in to the AWS Management Console.
- 2.Navigate to the IAM dashboard.
- 3.In the left navigation pane, click on "Users".
- 4.For each user, check the "MFA" column to see if MFA is enabled.
Alternatively, you can use the following AWS CLI command to list IAM users and their MFA status:
aws iam list-users | aws iam list-mfa-devices --user-name {UserName}
Replace
{UserName}Enable MFA For Users
Using Console:
- 1.Sign in to the AWS Management Console as an IAM user or root user.
- 2.Open the IAM console at https://console.aws.amazon.com/iam/.
- 3.In the navigation pane, click on "Users" and select the user to enable MFA.
- 4.In the "User details" pane, click on the "Security credentials" tab.
- 5.In the "Multi-factor authentication" section, click on the "Manage" link.
- 6.Follow the instructions to select and set up the MFA device.
Using CLI:
AWS CLI does not support directly enabling MFA. Users must set up MFA devices through the AWS Management Console or use custom scripts/SDK to automate the MFA enrollment process.
Remediation
Apart from manually enabling MFA, you can enforce MFA by attaching a policy that denies API calls that are not authenticated with MFA. Here is the example IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceMFA",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Step by Step Guide for Remediation
Here is how you enforce MFA for your AWS IAM users:
- 1.Log in to the AWS Management Console.
- 2.Open the IAM console at https://console.aws.amazon.com/iam/.
- 3.In the navigation pane, select "Policies" and then click on "Create policy".
- 4.Choose the JSON tab and copy-paste the above policy to deny permissions unless MFA is present.
- 5.Click on "Review policy", give it a name, and then "Create policy".
- 6.Attach this policy to all IAM users or groups that require MFA.
By applying this policy, you will effectively block access to AWS resources for users without MFA, thereby encouraging compliance with the MFA requirement.
SEO and Accessibility Consideration
While generating content, it is vital to consider that the content includes primary keywords that users might search for, such as "Enable MFA for IAM users" or "AWS IAM user security." The content is structured with headers and lists that enhance readability, and important commands or code snippets are provided in a manner that allows for easy copying. Usage of jargon is minimized or explained to ensure comprehension for audiences of varying expertise levels.
Content clarity, intent, and actionability are prioritized over keyword stuffing to ensure that users find the information genuinely useful, which in turn can lead to better engagement, sharing, and organic growth—a key factor in SEO performance.