IAM Root User Hardware MFA Enabled Rule
This rule ensures that IAM root user hardware MFA is enabled for added security measures.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
IAM Root User Hardware MFA for FedRAMP Low Revision 4 Compliance
Background
FedRAMP (Federal Risk and Authorization Management Program) Low Impact Level requires that all root accounts for cloud service providers have Multi-Factor Authentication (MFA) enabled to increase security. Hardware MFA devices add an extra layer of security, as they are physical devices that generate time-based one-time passwords (TOTPs) and must be present to authenticate. For FedRAMP Low, it's essential that hardware MFA, rather than virtual or SMS-based MFA, is used for root user accounts.
Enabling Hardware MFA for the IAM Root User
Step 1: Obtain a Hardware MFA Device
Before enabling MFA on your AWS account, obtain a hardware MFA device supported by AWS, such as a Gemalto token or YubiKey.
Step 2: Sign in to the AWS Management Console
Log in to the AWS Management Console as the root user, since IAM users cannot manage MFA devices on the root account.
Step 3: Navigate to Security Credentials
In the navigation bar, click on your account name, and from the drop-down menu, select “My Security Credentials”.
Step 4: Activate MFA
Under the "Multi-Factor Authentication (MFA)" section, click on “Activate MFA” and choose a “Multi-factor authentication (MFA) device” to start the setup process.
Step 5: Select the Hardware MFA Device
In the setup wizard, choose “Hardware MFA device” and enter the serial number located on the back of your hardware MFA device.
Step 6: Synchronize the MFA Device
Enter two consecutive codes generated by the hardware MFA device to finalize the synchronization process. Press the button on the device to generate a code, wait for the next code cycle, and then enter the new code.
Step 7: Complete the Setup
Click "Activate MFA" to finish the setup. The system will confirm that the hardware MFA device is now associated with your AWS root account.
Troubleshooting Steps
If you encounter issues while enabling hardware MFA:
- Device Synchronization: Make sure the device time is in sync. TOTP tokens are time-sensitive, so if the device time drifts too much, it may produce invalid codes.
- Incorrect Serial Number: Ensure the serial number entered matches the one on your hardware MFA device.
- Issues with Codes: Hardware MFA devices have a button to generate a new token — press it and enter the code quickly before it expires.
Remediation Commands and Actions
If you need to troubleshoot or disable the hardware MFA for any reason, the following AWS CLI commands can help:
To deactivate MFA for the root user (for troubleshooting only):
aws iam deactivate-mfa-device --user-name root --serial-number [serial-number-of-the-mfa-device]
Replace
with the actual serial number of your hardware MFA.[serial-number-of-the-mfa-device]
To list the MFA devices for the root user:
aws iam list-mfa-devices --user-name root
It's critical to re-enable MFA as soon as possible for continued compliance with FedRAMP requirements after troubleshooting.
Keep in mind that deactivating MFA should only be done when absolutely necessary and is discouraged without a viable remediation plan to re-enable it promptly.
In conclusion, hardware MFA is a FedRAMP requirement for the root user accounts at the Low Impact Level to provide an additional layer of security beyond just the username and password. Ensuring it is enabled and functional is essential for maintaining compliance. The steps outlined above will help maintain this security posture effectively without unnecessary complexity.