Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Root User Hardware MFA Enabled Rule

This rule states that IAM root user hardware MFA should be enabled to ensure security.

RuleIAM root user hardware MFA should be enabled
FrameworkCISA-cyber-essentials
Severity
Critical

IAM Root User Hardware MFA Should Be Enabled for CISA-Cyber-Essentials

Overview

Multi-Factor Authentication (MFA) is a security process that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. For high-level accounts like the AWS root user account, activating hardware MFA provides an extra layer of security over software-based MFA, as it requires something you have (the hardware device) and something you know (your password).

The Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Essentials toolkit recommends the use of hardware-based MFA for critical accounts, as part of a culture of cyber readiness. In this guide, we’ll walk through the steps to enable hardware MFA for an AWS IAM root user.

Prerequisites

  • Administrator access to the AWS Management Console.
  • A compatible hardware MFA device.

Step-by-Step Guide for Remediation

Step 1: Acquire a Hardware MFA Device

Before enabling hardware MFA, you must acquire an MFA device that is supported by AWS. AWS supports various hardware MFA devices like Gemalto tokens.

Step 2: Sign in to the AWS Management Console

Log in to your AWS account using your root user credentials.

Step 3: Navigate to the Security Credentials Page

Once logged into the AWS Management Console, click on your account name in the navigation bar at the top of the screen, and then click “My Security Credentials” from the dropdown menu.

Step 4: Activate MFA on Your Root Account

In the "Multi-Factor Authentication (MFA)" section, click on the “Activate MFA” button. Choose “Multi-Factor Authentication Device,” and then select “Hardware MFA Device.”

Step 5: Register the Hardware MFA Device

Follow the on-screen instructions to enter the serial number from the hardware MFA device and the MFA codes it generates. You will have to input two consecutive codes from your device to finalize the registration.

Step 6: Enable MFA

After successfully entering the codes, click “Enable MFA.” Your root user account now has hardware MFA enabled.

Troubleshooting Steps

MFA Device Is Not Working

  • Ensure the device is functioning correctly and has not expired.
  • Resync the hardware MFA device if the time drift has occurred.
  • Verify that the serial number and the MFA codes were entered correctly.

Unable to Access the Account with MFA

  • Use the MFA recovery options if set up previously.
  • Contact AWS Support for MFA device removal, which requires identity verification.

AWS CLI Commands

To interact with MFA using the AWS CLI, relevant commands are available, although for initial MFA setup, it is recommended to use the AWS Management Console. For example, you can use the CLI to deactivate an MFA device for an IAM user:

aws iam deactivate-mfa-device --user-name <username> --serial-number <mfa-device-serial-number>

Remember to replace

<username>
and
<mfa-device-serial-number>
with actual values.

Conclusion

Enabling hardware MFA for the IAM root user is crucial for complying with CISA's Cyber Essential recommendations and ensures a higher level of security for your AWS account. By following these detailed steps, you can secure your root account effectively.

It is essential to make this information easily accessible and understandable to enhance SEO. Structured content ensures search engines recognize the usefulness, and the inclusion of relevant keywords such as "AWS", "IAM root user", and "hardware MFA" can improve SEO performance. By avoiding filler content and providing precise, actionable information, this guide aligns with user intent and can thereby accelerate SEO effectively.

Is your System Free of Underlying Vulnerabilities?
Find Out Now