Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: IAM Root User MFA Should Be Enabled

This rule ensures that Multi-Factor Authentication is enabled for the IAM root user.

RuleIAM root user MFA should be enabled
FrameworkFedRAMP Low Revision 4
Severity
Medium

Title: Enable MFA for IAM Root User in compliance with FedRAMP Low Revision 4

Description:

In order to comply with FedRAMP Low Revision 4 security requirements, Multi-Factor Authentication (MFA) should be enabled for the IAM Root User. Enabling MFA adds an extra layer of protection by requiring an additional authentication factor, in addition to a password, for accessing the root user account. This reduces the risk of unauthorized access and enhances the overall security posture of the AWS account.

Steps to Enable MFA for IAM Root User:

  1. 1.
    Log in to the AWS Management Console using the root user credentials.
  2. 2.
    Access the IAM service by searching for "IAM" in the AWS Management Console search bar and selecting "IAM" from the results.
  3. 3.
    In the IAM navigation pane, click on "Users" to view a list of IAM users in the account.
  4. 4.
    Locate the "Root" user in the user list and click on its username to open the User Details page.
  5. 5.
    In the "Security credentials" tab, locate the "Multi-factor authentication (MFA)" section and click on "Enable MFA" button.
  6. 6.
    On the "Enable MFA" page, select the "Virtual MFA device" option.
  7. 7.
    Choose a virtual MFA device from the list (e.g., "Virtual MFA") or click on "Continue" to create a new MFA device.
  8. 8.
    If creating a new MFA device, follow the on-screen instructions to set up the virtual MFA device using a compatible MFA app (e.g., Google Authenticator, Authy) or a hardware device.
  9. 9.
    Once the MFA device is set up, enter the two consecutive MFA codes displayed by the app/device in the corresponding fields on the "Enable MFA" page.
  10. 10.
    Click on "Assign MFA" to enable MFA for the IAM Root User.

Troubleshooting Steps (if MFA setup encounters issues):

  1. 1.
    If the MFA device is not recognized by AWS, ensure that the virtual MFA device is set up correctly according to the instructions provided during the MFA device creation process.
  2. 2.
    If the MFA codes are not accepted, ensure that the codes entered are accurate and match the codes generated by the MFA app/device.
  3. 3.
    If the MFA setup process fails, try creating a new MFA device and repeating the setup steps.
  4. 4.
    If issues persist, consider using a different MFA app/device or contact AWS support for assistance.

Code Snippets (if applicable):

No specific code snippets are required for enabling MFA for the IAM Root User.

Please note that the IAM Root User should be used sparingly for administrative tasks, and it is recommended to create and use IAM users with appropriate permissions for day-to-day operations. The root user should only be used when absolutely necessary.

Is your System Free of Underlying Vulnerabilities?
Find Out Now