Rule: Ensure MFA is enabled for the 'root' user account
This rule enforces enabling MFA for the 'root' user account.
| Rule | Ensure MFA is enabled for the 'root' user account |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description
The rule 'cis_v150' requires Multi-Factor Authentication (MFA) to be enabled for the 'root' user account. Enabling MFA adds an extra layer of security to prevent unauthorized access to the root account, which is the most powerful and sensitive account within an AWS environment.
Troubleshooting Steps (if necessary)
If MFA is not enabled for the 'root' user account, follow the steps below to troubleshoot the issue:
- 1.Ensure that you have the necessary permissions to manage IAM users and access the AWS Management Console.
- 2.Verify that the 'root' user account is active and accessible.
- 3.Check the 'root' user's MFA device status. If it is not enabled, proceed with the remediation steps.
Remediation Steps
To enable MFA for the 'root' user account, follow the step-by-step guide below:
- 1.
Sign in to the AWS Management Console using the credentials for the 'root' user account.
- 2.
Navigate to the IAM service by searching for 'IAM' in the AWS Management Console search bar.
- 3.
In the IAM dashboard, click on 'Users' from the left-hand menu.
- 4.
Locate the 'root' user in the user list and select it by clicking on the username.
- 5.
In the 'Summary' tab of the 'User details' section, click on the 'Manage' button next to 'Multi-factor authentication (MFA)'.
- 6.
Click on the 'Activate MFA' button to enable MFA for the 'root' user account.
- 7.
Choose a MFA device option: 'Virtual MFA device' or 'U2F security key'. Select the appropriate option based on your preference or organizational requirements.
- Virtual MFA device: Set up a virtual MFA device using a compatible MFA application such as Google Authenticator or Authy.
- U2F security key: Set up a physical hardware security key that supports U2F standard (such as YubiKey).
- 8.
Follow the on-screen instructions to complete the MFA device setup process.
- 9.
After configuring the MFA device, click on the 'Next Step' button to proceed.
- 10.
In the next step, you will be prompted to enter two consecutive MFA codes from your configured MFA device. Enter the codes and click on the 'Next Step' button.
- 11.
Review the MFA activation details, and if everything looks correct, click on the 'Activate MFA' button to enable MFA for the 'root' user account.
- 12.
Once MFA is successfully enabled, you will receive a confirmation message. Click on the 'Close' button to exit the wizard.
Verification
To verify if MFA is successfully enabled for the 'root' user account, follow these steps:
- 1.
Sign out of the AWS Management Console.
- 2.
Sign back in using the credentials for the 'root' user account.
- 3.
After entering the password, you will be prompted to enter the MFA code generated by your MFA device.
- 4.
Enter the code from your MFA device and proceed to log in. If the login is successful, it indicates that MFA is enabled for the 'root' user account.
Additional Notes
- Enabling MFA for the 'root' user account adds an extra layer of security by requiring a second verification factor during login.
- It is recommended to have at least two MFA devices registered for the 'root' user to ensure redundancy and avoid being locked out in case of device loss or failure.
- Regularly review the MFA devices associated with the 'root' user account and remove any devices that are no longer in use or compromised.
- Store backup MFA codes in a secure location to ensure access to the AWS account in case of device loss or unavailability.