IAM Root User Hardware MFA Should Be Enabled Rule
This rule ensures the IAM root user has hardware MFA enabled for added security.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
IAM Root User Hardware MFA Policy
Description
The IAM Root User Hardware MFA policy requires that Multi-Factor Authentication (MFA) using a hardware device is enabled for the root user in AWS Identity and Access Management (IAM). This policy is applicable for environments that need to comply with the Federal Risk and Authorization Management Program (FedRAMP) Low requirements Revision 4.
Enabling hardware MFA for the root user adds an additional layer of security to prevent unauthorized access and helps protect critical resources in your AWS account.
Troubleshooting Steps
If you encounter any issues during the setup or use of the IAM Root User Hardware MFA, follow these troubleshooting steps:
- 1.Ensure that you have a compatible hardware MFA device, such as an AWS-supported hardware key fob or virtual MFA device.
- 2.Verify that the MFA device is properly synced with your AWS account by following the device-specific instructions.
- 3.If you are unable to authenticate with the MFA device, ensure that you are providing the correct MFA token or code during the login process.
- 4.If you are still having issues, consider disabling and re-enabling the hardware MFA device for the root user.
- 5.If the problem persists, consult AWS documentation or contact AWS support for further assistance.
Code Example
The following code snippet illustrates how to enable hardware MFA for the root user in AWS IAM using the AWS Command Line Interface (CLI):
aws iam enable-mfa-device --user-name <root-user-name> --authentication-code1 <mfa-code-1> --authentication-code2 <mfa-code-2> --serial-number arn:aws:iam::<account-id>:mfa/<root-user-name>
Replace
<root-user-name><mfa-code-1><mfa-code-2><account-id>Remediation Steps
Follow these step-by-step instructions to enable hardware MFA for the root user in AWS IAM:
- 1.Acquire a compatible hardware MFA device supported by AWS or set up a virtual MFA device using a mobile app.
- 2.Log in to the AWS Management Console as the root user.
- 3.Open the IAM console.
- 4.Navigate to "Users" in the left-side menu and click on the root user.
- 5.In the "Security credentials" tab, click on "Manage" in the "Multi-factor authentication (MFA)" section.
- 6.Choose "Switch virtual MFA device" or "Activate hardware MFA device," depending on your device type.
- 7.Follow the on-screen instructions to set up the MFA device, including inputting the device's serial number or scanning the QR code.
- 8.After configuring the MFA device, enter two consecutive authentication codes to complete the setup process.
- 9.Click on "Activate" or "Assign MFA" to enable MFA for the root user.
- 10.Take a note of the backup codes given during the setup as they may be needed in case the MFA device is lost or unavailable.
- 11.Logout and log back in to test the MFA functionality for the root user.
Note: Make sure to securely store the backup codes and keep the MFA device in a safe place to avoid any potential security risks.
By following these steps, you will successfully enable hardware MFA for the root user in AWS IAM, meeting the requirements for FedRAMP Low Revision 4.