This rule mandates the enabling of MFA for all IAM users with console passwords.
Rule | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
Framework | cis_v150 |
Severity | ✔ Critical |
Ensure Multi-Factor Authentication (MFA) is Enabled for All IAM Users That Have a Console Password
Multi-Factor Authentication (MFA) is a critical layer of security for protecting AWS resources. Enforcing MFA for IAM users with a console password helps to mitigate the risk of unauthorized access due to compromised credentials. This guide details the rule, provides troubleshooting steps, and includes necessary commands for remediation.
Description of the Rule
The rule aims to enforce the use of MFA for all IAM users within an AWS account that have access to the AWS Management Console. MFA requires users to present two or more pieces of evidence (or factors) before gaining access to the console, ensuring a higher level of security than username and password alone.
Troubleshooting Steps
If the rule fails, it indicates that there are IAM users with console access who do not have MFA enabled. You will need to identify and rectify this by ensuring that MFA is enabled for all such users.
Step 1: Identify Non-Compliant IAM Users
AWS Management Console:
AWS CLI: Run the following command to list all IAM users and their MFA status:
aws iam list-users --query 'Users[?PasswordLastUsed!=null].[UserName]' --output text
For each user returned by the above command, check if MFA devices are configured:
aws iam list-mfa-devices --user-name <UserName>
Step 2: Enable MFA for Users
AWS Management Console:
AWS CLI:
aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-output> --bootstrap-method QRCodePNG
aws iam enable-mfa-device --user-name <UserName> --serial-number <SerialNumber> --authentication-code-1 <Code1> --authentication-code-2 <Code2>
Follow the on-screen instructions to finish MFA setup using the user's preferred method (e.g., virtual MFA app, hardware token).
Remediation Steps
After identifying the IAM users without MFA via the troubleshooting steps, follow these remediation steps:
Step by Step Guide for Remediation
1. Configure MFA for Users
2. Enforce MFA via IAM Policies
Create an IAM policy that requires MFA to access AWS services:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMFA",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Attach this policy to all IAM users. If MFA is not present, the policy will deny all requests, effectively enforcing MFA.
3. Communicate Policy Changes
Notify users that MFA is now required and provide instructions on how to set up their MFA devices.
4. Monitor Compliance
Regularly use the AWS IAM Console or CLI commands to check if all users with console passwords have MFA enabled.
CLI Commands Required
aws iam list-users
aws iam list-mfa-devices --user-name <UserName>
aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-output> --bootstrap-method QRCodePNG
aws iam enable-mfa-device --user-name <UserName> --serial-number <SerialNumber> --authentication-code-1 <Code1> --authentication-code-2 <Code2>
Conclusion
Ensuring MFA is enabled for all IAM users with a console password is a best practice and aligns with CIS (Center for Internet Security) benchmarks. By following the guide above, users can be compliant with this rule, enhancing the security posture of their AWS environments. Regular audits, policy reviews, and user education can help maintain compliance and protect against potential threats.