Rule: IAM Users with Console Access Should Have MFA Enabled
This rule ensures that IAM users with console access have multi-factor authentication enabled for added security.
| Rule | IAM users with console access should have MFA enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
IAM User MFA Enforcement for CISA Cyber Essentials
Description
IAM (Identity and Access Management) is a service provided by AWS (Amazon Web Services) to manage users, groups, and their access to AWS resources. MFA (Multi-Factor Authentication) adds an extra layer of security to user logins by requiring an additional authentication factor, in this case, for IAM users with console access.
Enabling MFA for IAM users with console access ensures compliance with CISA Cyber Essentials guidelines, which help mitigate cybersecurity risks and strengthen overall security posture.
Troubleshooting Steps
In case of any issues, follow these steps for troubleshooting:
- 1.Verify MFA Hardware/Software: Confirm that the MFA device or software being used by the user is functioning correctly. Test the MFA device or software by using it with another application or service.
- 2.Checking IAM User Configuration: Verify that the IAM user has been correctly configured to enable MFA. Validate the assigned MFA device and the IAM policies associated with the user.
- 3.Review IAM Policies: Ensure that the relevant IAM policies don't interfere with MFA enforcement. Check for any policies that might override or disable MFA requirements for IAM users with console access.
- 4.Check Users' Access Permissions: Confirm that the IAM user has the necessary permissions to enable MFA and access the AWS Management Console. Adjust the permissions if required.
Necessary Codes
No specific codes are necessary for this rule. However, you can utilize the following AWS CLI (Command Line Interface) commands to manage MFA for IAM users:
To enable MFA for an IAM user:
aws iam enable-mfa-device --user-name <IAM-username> --serial-number <MFA-serial-number> --authentication-code1 <code-1> --authentication-code2 <code-2>To list MFA-enabled IAM users:
aws iam list-virtual-mfa-devices --query 'VirtualMFADevices[].User.UserName'To disable MFA for an IAM user:
aws iam deactivate-mfa-device --user-name <IAM-username> --serial-number <MFA-serial-number>
Step-by-Step Guide for Remediation
Follow these steps to enable MFA for IAM users with console access:
- 1.
Identify the IAM users who require MFA enforcement for CISA Cyber Essentials compliance.
- 2.
Choose the appropriate MFA hardware or software for the users. The commonly used MFA methods include virtual devices (Google Authenticator, Authy) or custom hardware devices (YubiKey) approved by AWS.
- 3.
Obtain the MFA serial numbers or ARNs (Amazon Resource Names) for the selected MFA devices.
- 4.
For each IAM user, enable MFA using the AWS Management Console or AWS CLI.
AWS Management Console: a. Sign in to the AWS Management Console using appropriate access credentials. b. Navigate to the IAM service. c. Select the desired IAM user from the list of users. d. Choose the "Security Credentials" tab. e. Under the "Multi-Factor Authentication (MFA)" section, click on "Manage MFA Device". f. Follow the on-screen instructions to set up the MFA device.
AWS CLI: a. Install and configure the AWS CLI on your local machine. b. Open a terminal or command prompt. c. Execute the appropriate AWS CLI command mentioned above, providing the necessary parameters:
- `<IAM-username>`: Replace with the IAM username requiring MFA. - `<MFA-serial-number>`: Replace with the MFA hardware or software serial number/ARN. - `<code-1>` and `<code-2>`: Replace with the two consecutive authentication codes generated by the MFA device or software.
- 5.
Repeat step 4 for all the IAM users that require MFA enforcement.
- 6.
Periodically review and ensure that MFA is still enabled for all IAM users with console access.
By following these steps, MFA can be properly enforced for IAM users, aligning with CISA Cyber Essentials compliance guidelines and strengthening security for AWS resources.