Ensure MFA is enabled for the 'root' user account

This rule ensures Multi-Factor Authentication (MFA) is enabled specifically for the 'root' user account.

Rule	Ensure MFA is enabled for the 'root' user account
Framework	cis_v140
Severity	✔ High

Ensure MFA is Enabled for the 'Root' User Account (CIS v1.4.0)

Description

Enabling Multi-Factor Authentication (MFA) adds an additional layer of security to your AWS account's root user. The root user has full access to all resources in the AWS account, and it is a best practice recommended by the Center for Internet Security (CIS) to protect it with MFA. MFA requires the user to present two or more different forms of evidence (factors) when logging in. The CIS AWS Foundations Benchmark v1.4.0 guideline stipulates that MFA should be enabled on the root account to prevent unauthorized access.

Troubleshooting Steps

If MFA is not enabled for your AWS root account, follow these steps:

Checking MFA Status

1.
Sign in to the AWS Management Console as the root user.

2.
Navigate to the "My Security Credentials" section under your account name.

3.
Under the Multi-Factor Authentication (MFA) section, check if MFA is enabled or not.

If MFA is not enabled, follow the remediation steps below.

Remediation Steps

Enabling MFA for AWS Root Account

1.
Go to the AWS Management Console as the root user.

2.
Click on the account name at the top right corner of the console.

3.
From the dropdown menu, select "My Security Credentials."

4.
Expand the "Multi-Factor Authentication (MFA)" section.

5.
Click on the "Activate MFA" button.

6.
Choose a virtual MFA device or a hardware MFA device.
- For a virtual MFA, use an app like Google Authenticator or Authy on your mobile device.
- For a hardware MFA, you must purchase a compatible device.

7.
Follow the instructions to set up the MFA device.

8.
Enter the MFA code generated by your device to confirm the setup.

CLI Commands (If Applicable)

Currently, there is no direct AWS CLI command available to enable MFA for the root user account. It must be done through the AWS Management Console.

Verification

After setting up MFA:

1.
Log out of the AWS Management Console.

2.
Log back in as the root user.

3.
You should be prompted for your root account's password and the MFA code from your configured device.

Ensure that MFA is correctly enabled and working by successfully logging in with both the password and MFA code.

Summary

Enabling MFA on your AWS root account is a critical security measure to prevent unauthorized access to your AWS resources. Following these remediation steps will help you comply with the CIS v1.4.0 guidelines and increase the security posture of your AWS account.

Ensure MFA is enabled for the 'root' user account

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Checking MFA Status

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Enabling MFA for AWS Root Account

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}CLI Commands (If Applicable)

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Verification

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Summary

Is your System Free of Underlying Vulnerabilities? Find Out Now