This rule states that IAM root user hardware MFA should be enabled to ensure security.
Rule | IAM root user hardware MFA should be enabled |
Framework | CISA-cyber-essentials |
Severity | ✔ Critical |
IAM Root User Hardware MFA Should Be Enabled for CISA-Cyber-Essentials
Overview
Multi-Factor Authentication (MFA) is a security process that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. For high-level accounts like the AWS root user account, activating hardware MFA provides an extra layer of security over software-based MFA, as it requires something you have (the hardware device) and something you know (your password).
The Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Essentials toolkit recommends the use of hardware-based MFA for critical accounts, as part of a culture of cyber readiness. In this guide, we’ll walk through the steps to enable hardware MFA for an AWS IAM root user.
Prerequisites
Step-by-Step Guide for Remediation
Step 1: Acquire a Hardware MFA Device
Before enabling hardware MFA, you must acquire an MFA device that is supported by AWS. AWS supports various hardware MFA devices like Gemalto tokens.
Step 2: Sign in to the AWS Management Console
Log in to your AWS account using your root user credentials.
Step 3: Navigate to the Security Credentials Page
Once logged into the AWS Management Console, click on your account name in the navigation bar at the top of the screen, and then click “My Security Credentials” from the dropdown menu.
Step 4: Activate MFA on Your Root Account
In the "Multi-Factor Authentication (MFA)" section, click on the “Activate MFA” button. Choose “Multi-Factor Authentication Device,” and then select “Hardware MFA Device.”
Step 5: Register the Hardware MFA Device
Follow the on-screen instructions to enter the serial number from the hardware MFA device and the MFA codes it generates. You will have to input two consecutive codes from your device to finalize the registration.
Step 6: Enable MFA
After successfully entering the codes, click “Enable MFA.” Your root user account now has hardware MFA enabled.
Troubleshooting Steps
MFA Device Is Not Working
Unable to Access the Account with MFA
AWS CLI Commands
To interact with MFA using the AWS CLI, relevant commands are available, although for initial MFA setup, it is recommended to use the AWS Management Console. For example, you can use the CLI to deactivate an MFA device for an IAM user:
aws iam deactivate-mfa-device --user-name <username> --serial-number <mfa-device-serial-number>
Remember to replace
<username>
and <mfa-device-serial-number>
with actual values.Conclusion
Enabling hardware MFA for the IAM root user is crucial for complying with CISA's Cyber Essential recommendations and ensures a higher level of security for your AWS account. By following these detailed steps, you can secure your root account effectively.
It is essential to make this information easily accessible and understandable to enhance SEO. Structured content ensures search engines recognize the usefulness, and the inclusion of relevant keywords such as "AWS", "IAM root user", and "hardware MFA" can improve SEO performance. By avoiding filler content and providing precise, actionable information, this guide aligns with user intent and can thereby accelerate SEO effectively.