This rule ensures that IAM root user hardware MFA is enabled to enhance security measures.
Rule | IAM root user hardware MFA should be enabled |
Framework | CISA-cyber-essentials |
Severity | ✔ Critical |
IAM Root User Hardware MFA for CISA Cyber Essentials
Description:
In order to enhance the security of the AWS resources and comply with CISA Cyber Essentials guidelines, it is recommended to enable Multi-Factor Authentication (MFA) specifically using hardware tokens for the IAM Root User. Enabling hardware MFA adds an extra layer of protection by requiring a physical token in addition to the regular password for user authentication.
Troubleshooting Steps:
If you experience any issues while enabling IAM Root User Hardware MFA for CISA Cyber Essentials, you can follow these troubleshooting steps:
Necessary Codes:
No specific codes are required for this policy. However, you might need to execute some CLI commands to enable and configure the hardware MFA for the IAM root user. The step-by-step guide below will provide you with the necessary commands.
Step-by-Step Guide:
Follow these steps to enable the IAM Root User Hardware MFA for CISA Cyber Essentials:
Log in to the AWS Management Console using the IAM root user credentials.
Navigate to the IAM service by searching for "IAM" in the AWS Management Console search bar and selecting the IAM service from the results.
In the left-hand menu, click on the "Dashboard" option.
Locate the field "Security status" and click on the "Manage MFA" link next to it.
On the Multi-factor authentication (MFA) page, click on the "Continue to Security Credentials" button.
Expand the "Multi-Factor Authentication (MFA)" section.
Click on the "Manage MFA" button next to "Root Account MFA."
Click on the "Activate MFA" button.
Choose the "A hardware MFA device" option and click on "Next Step."
In the "Scan the QR code" or "Enter key information manually" step, perform one of the following sub-steps:
Once the MFA device has been successfully registered, a confirmation message will be displayed.
Test the MFA device by entering the MFA code generated by your hardware token.
Click on the "Next: Contact Information" button.
Configure the contact information at your preference (optional) and click on the "Next: Review" button.
Review the provided details and click on the "Activate MFA" button.
A success message will be displayed, indicating that the MFA has been enabled for the IAM root user account.
Remember to properly store and secure your hardware MFA device to ensure its availability and prevent unauthorized access.
By following this guide, you have successfully enabled IAM Root User Hardware MFA to comply with CISA Cyber Essentials security guidelines.