Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure multi-factor authentication (MFA) for IAM users

This rule mandates the enabling of MFA for all IAM users with console passwords.

RuleEnsure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Frameworkcis_v150
Severity
Critical

Ensure Multi-Factor Authentication (MFA) is Enabled for All IAM Users That Have a Console Password

Multi-Factor Authentication (MFA) is a critical layer of security for protecting AWS resources. Enforcing MFA for IAM users with a console password helps to mitigate the risk of unauthorized access due to compromised credentials. This guide details the rule, provides troubleshooting steps, and includes necessary commands for remediation.

Description of the Rule

The rule aims to enforce the use of MFA for all IAM users within an AWS account that have access to the AWS Management Console. MFA requires users to present two or more pieces of evidence (or factors) before gaining access to the console, ensuring a higher level of security than username and password alone.

Troubleshooting Steps

If the rule fails, it indicates that there are IAM users with console access who do not have MFA enabled. You will need to identify and rectify this by ensuring that MFA is enabled for all such users.

Step 1: Identify Non-Compliant IAM Users

  • AWS Management Console:

    • Go to the IAM dashboard.
    • In the navigation pane, click on "Users".
    • Check the "MFA" column to see which users do not have MFA enabled.
  • AWS CLI: Run the following command to list all IAM users and their MFA status:

    aws iam list-users --query 'Users[?PasswordLastUsed!=null].[UserName]' --output text
    

For each user returned by the above command, check if MFA devices are configured:

aws iam list-mfa-devices --user-name <UserName>

Step 2: Enable MFA for Users

  • AWS Management Console:

    • Click on the user without MFA in the IAM dashboard.
    • Navigate to the "Security credentials" tab.
    • Find the "Assigned MFA device" section and click on the "Manage" link.
  • AWS CLI:

    • Use the following command to create a virtual MFA device:
    aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-output> --bootstrap-method QRCodePNG
    
    • Associate the virtual MFA device with the user:
    aws iam enable-mfa-device --user-name <UserName> --serial-number <SerialNumber> --authentication-code-1 <Code1> --authentication-code-2 <Code2>
    

Follow the on-screen instructions to finish MFA setup using the user's preferred method (e.g., virtual MFA app, hardware token).

Remediation Steps

After identifying the IAM users without MFA via the troubleshooting steps, follow these remediation steps:

Step by Step Guide for Remediation

1. Configure MFA for Users

  • Use the AWS Management Console or the AWS CLI to configure MFA devices for each user following the instructions above.

2. Enforce MFA via IAM Policies

Create an IAM policy that requires MFA to access AWS services:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMFA",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Attach this policy to all IAM users. If MFA is not present, the policy will deny all requests, effectively enforcing MFA.

3. Communicate Policy Changes

Notify users that MFA is now required and provide instructions on how to set up their MFA devices.

4. Monitor Compliance

Regularly use the AWS IAM Console or CLI commands to check if all users with console passwords have MFA enabled.

CLI Commands Required

  • To list all IAM users:
    aws iam list-users
  • To list MFA devices for a user:
    aws iam list-mfa-devices --user-name <UserName>
  • To create a virtual MFA device:
    aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-output> --bootstrap-method QRCodePNG
  • To associate the virtual MFA device with a user:
    aws iam enable-mfa-device --user-name <UserName> --serial-number <SerialNumber> --authentication-code-1 <Code1> --authentication-code-2 <Code2>

Conclusion

Ensuring MFA is enabled for all IAM users with a console password is a best practice and aligns with CIS (Center for Internet Security) benchmarks. By following the guide above, users can be compliant with this rule, enhancing the security posture of their AWS environments. Regular audits, policy reviews, and user education can help maintain compliance and protect against potential threats.

Is your System Free of Underlying Vulnerabilities?
Find Out Now