IAM Users with Console Access Should Have MFA Enabled Rule
This rule ensures that IAM users with console access have MFA enabled.
| Rule | IAM users with console access should have MFA enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
This rule ensures that IAM users with console access have Multi-Factor Authentication (MFA) enabled. This is necessary to meet the security requirements of the FedRAMP Low Revision 4 guidelines. MFA adds an additional layer of security by requiring users to provide two or more credentials (typically a password and a unique code from a registered device) to access their AWS Management Console.
Troubleshooting Steps:
- 1.
Verify IAM user's console access: Check if the IAM user in question has permission to access the AWS Management Console.
- 2.
Confirm MFA configuration: Validate if MFA is already enabled for the IAM user account.
- 3.
Check MFA device association: Ensure that the IAM user has associated an MFA device with their account.
- 4.
Verify MFA device registration: Confirm if the MFA device associated with the IAM user account is properly registered and functional.
Necessary Codes:
No specific code is required for this rule. However, CLI commands may be useful for identifying and managing IAM users, their MFA settings, and associated devices.
Step-by-Step Guide for Remediation:
- 1.
Identify the IAM user(s) with console access:
- Go to the AWS Management Console.
- Open the IAM service.
- 2.
Check current MFA status for the IAM user:
- Select "Users" from the left-hand navigation panel.
- Search for the specific IAM user.
- Verify if MFA is already enabled or not.
- 3.
Enable MFA for the IAM user:
- From the IAM user's settings, select "Security credentials."
- Under the "Multi-factor authentication" section, choose "Manage MFA."
- Follow the on-screen instructions to set up MFA for the IAM user account.
- 4.
Associate an MFA device with the IAM user:
- Choose the IAM user for whom you want to associate an MFA device.
- Click on "Assign MFA Device" under the "Security credentials" tab.
- Select either a virtual MFA device or a hardware MFA device.
- Follow the provided instructions to complete the association process.
- 5.
Validate MFA device registration:
- Confirm that the MFA device is properly registered and functional.
- Test the MFA device by generating a time-based one-time password (TOTP) code.
- 6.
Repeat the above steps for all IAM users with console access, ensuring MFA is properly enabled.
Note:
It is important to note that following this rule helps to enhance the security of IAM users with console access by enabling MFA, which is a best practice.