This rule ensures MFA is enabled for all IAM users with console password.
Rule | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
Framework | cis_v140 |
Severity | ✔ High |
Ensure Multi-Factor Authentication (MFA) is Enabled for all IAM Users with Console Password
Rule Description
This rule requires that all AWS Identity and Access Management (IAM) users having a console password also have Multi-Factor Authentication (MFA) enabled. MFA adds an extra layer of security because it requires users to provide unique authentication from an AWS-supported device.
Prerequisites
Remediation Steps
1. Identify IAM Users Without MFA
To find IAM users without MFA enabled, you can use the AWS Management Console or the AWS CLI.
Using AWS Management Console:
Using AWS CLI:
Execute the following command to list all IAM users and their MFA status:
aws iam list-mfa-devices --query "MFADevices[*].UserName"
2. Enable MFA for Users
After identifying IAM users without MFA, follow these steps to enable it.
Using AWS Management Console:
Using AWS CLI:
First, create a virtual MFA:
aws iam create-virtual-mfa-device --virtual-mfa-device-name <device_name> --outfile <path_to_save_qr_code> --bootstrap-method QRCodePNG
Then, attach the MFA to a user:
aws iam enable-mfa-device --user-name <iam_user_name> --serial-number arn:aws:iam::<account_number>:mfa/<device_name> --authentication-code-1 <first_code> --authentication-code-2 <second_code>
The
<first_code>
and <second_code>
are consecutive MFA codes from your device.3. Automate Compliance Checking
Use AWS Config to automatically check the MFA status for IAM users.
Creating AWS Config Rule:
4. Enforce MFA at Login
Implement a policy which denies all permissions unless the MFA is used for authentication.
Using AWS Management Console:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}
]
}
Troubleshooting Common Issues
SEO and Visibility
By adhering to the guidelines of clear and concise format, providing valuable information without filler, and addressing common issues, this content is written with consideration for optimal SEO performance. Additionally, using relevant keywords such as "Enable MFA in AWS," "IAM User Security," and "AWS CLI MFA Commands" can help in improving the page's SEO.