IAM Users with Console Access should have MFA Enabled Rule
This rule ensures that IAM users with console access must have multi-factor authentication (MFA) enabled for enhanced security.
| Rule | IAM users with console access should have MFA enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
IAM User MFA Requirement for CISA-Cyber Essentials
1. Rule Description
This rule enforces the requirement that IAM (Identity and Access Management) users with console access must have Multi-Factor Authentication (MFA) enabled. MFA adds an additional layer of security by requiring users to provide two or more forms of identification to access their accounts. By enabling MFA, organizations adhere to the security guidelines outlined in CISA-Cyber Essentials.
2. Troubleshooting Steps
If there are issues or concerns related to this rule, follow these troubleshooting steps:
- 1.User Awareness: Verify that IAM users are aware of the MFA requirement and the importance of enabling it.
- 2.User Permissions: Ensure that IAM users have the necessary permissions to enable MFA for their accounts.
- 3.MFA Device: Confirm that users have a compatible MFA device (e.g., hardware token, virtual MFA application) associated with their accounts.
- 4.Verification Code: Double-check that users are correctly entering the verification codes provided by their MFA device.
- 5.Account Recovery: If an IAM user is unable to access their MFA device, ensure there is a process in place for account recovery through alternate means.
3. Necessary Codes
The following code is an IAM policy example that enforces MFA for all IAM users with console access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMFAForConsoleAccess",
"Effect": "Deny",
"Action": "iam:*Console*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Note: This code snippet denies any IAM action related to the console if MFA is not enabled.
4. Step-by-Step Guide for Remediation
Follow these steps to enforce MFA for IAM users with console access:
- 1.Access IAM Management Console: Log in to the AWS Management Console using the appropriate credentials.
- 2.Navigate to IAM: In the AWS Management Console, search for "IAM" or find it under the "Security, Identity & Compliance" section.
- 3.Select the Desired IAM User: Select the IAM user for whom you want to enable MFA.
- 4.Enable MFA: Within the IAM user's summary page, click on the "Security credentials" tab.
- 5.Manage MFA Device: Under the "Multi-Factor Authentication (MFA)" section, click on "Manage".
- 6.Choose MFA Device: Select the appropriate MFA device option – either Virtual MFA device or U2F security key.
- 7.Follow the On-screen Instructions: Follow the instructions provided to associate and configure the MFA device with the IAM user.
- 8.Verify MFA: Once the MFA device is set up, a verification code will be required during the IAM user's login. Ensure the user can successfully authenticate using the MFA device.
- 9.Repeat for Additional Users: If necessary, repeat the process for other IAM users that require console access.
- 10.Verification and Compliance: Regularly review IAM users' MFA status and ensure compliance with the rule/policy requirements.
By following these steps, IAM users with console access will have MFA enabled, adhering to the CISA-Cyber Essentials security guidelines.