Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Multi-Factor Authentication (MFA) Rule

This rule ensures MFA is enabled for all IAM users with console password.

RuleEnsure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Frameworkcis_v140
Severity
High

Ensure Multi-Factor Authentication (MFA) is Enabled for all IAM Users with Console Password

Rule Description

This rule requires that all AWS Identity and Access Management (IAM) users having a console password also have Multi-Factor Authentication (MFA) enabled. MFA adds an extra layer of security because it requires users to provide unique authentication from an AWS-supported device.

Prerequisites

  • AWS Account
  • IAM users with console access
  • Permissions to manage IAM policies and MFA devices

Remediation Steps

1. Identify IAM Users Without MFA

To find IAM users without MFA enabled, you can use the AWS Management Console or the AWS CLI.

Using AWS Management Console:

  • Navigate to the IAM dashboard.
  • Click on "Users" in the navigation pane.
  • Look for users with a “No” in the "MFA" column.

Using AWS CLI:

Execute the following command to list all IAM users and their MFA status:

aws iam list-mfa-devices --query "MFADevices[*].UserName"

2. Enable MFA for Users

After identifying IAM users without MFA, follow these steps to enable it.

Using AWS Management Console:

  • Go to the IAM dashboard, click on "Users," and select the user.
  • In the user details page, go to the "Security credentials" tab.
  • Under "Assigned MFA device," click the "Manage" link.
  • Follow the wizard to activate MFA using a virtual MFA device or a hardware MFA device.

Using AWS CLI:

First, create a virtual MFA:

aws iam create-virtual-mfa-device --virtual-mfa-device-name <device_name> --outfile <path_to_save_qr_code> --bootstrap-method QRCodePNG

Then, attach the MFA to a user:

aws iam enable-mfa-device --user-name <iam_user_name> --serial-number arn:aws:iam::<account_number>:mfa/<device_name> --authentication-code-1 <first_code> --authentication-code-2 <second_code>

The

<first_code>
and
<second_code>
are consecutive MFA codes from your device.

3. Automate Compliance Checking

Use AWS Config to automatically check the MFA status for IAM users.

Creating AWS Config Rule:

  • Navigate to the AWS Config console.
  • Choose "Rules" from the sidebar and then click on "Add rule."
  • Search for "mfa-enabled-for-iam-console-access" and add it.
  • Configure the rule settings as required and save.

4. Enforce MFA at Login

Implement a policy which denies all permissions unless the MFA is used for authentication.

Using AWS Management Console:

  • Go to the IAM dashboard, click on "Policies," and then click "Create policy."
  • Choose the JSON tab and insert the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
        }
    ]
}
  • Review and name your policy.
  • Attach the policy to IAM users or groups as required.

Troubleshooting Common Issues

  • MFA Device Lost or Malfunctioning: If a user loses access to their MFA device, an IAM administrator can deactivate the existing MFA device from the user's security credentials and then guide the user to register a new one.
  • Policy Not Taking Effect: It may be due to policy version issues. Make sure to set the newly created policy as the default version.

SEO and Visibility

By adhering to the guidelines of clear and concise format, providing valuable information without filler, and addressing common issues, this content is written with consideration for optimal SEO performance. Additionally, using relevant keywords such as "Enable MFA in AWS," "IAM User Security," and "AWS CLI MFA Commands" can help in improving the page's SEO.

Is your System Free of Underlying Vulnerabilities?
Find Out Now