Rule: IAM Root User Hardware MFA Should Be Enabled
This rule ensures that IAM root user has hardware MFA enabled for added security.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Rule Description
This rule states that the IAM root user hardware MFA (Multi-Factor Authentication) must be enabled for FedRAMP Moderate Revision 4 compliance. FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach for assessing, authorizing, and monitoring the security of cloud products and services.
Enabling hardware MFA for the IAM root user ensures an additional layer of security by requiring the use of a physical device, such as a hardware token or smart card, in addition to a password, for user authentication.
Troubleshooting Steps
If the IAM root user hardware MFA is not enabled or encounters issues, you can follow these troubleshooting steps:
- 1.
Check IAM Root User Status: Verify if the IAM root user is currently active and accessible.
- 2.
Verify Hardware MFA Devices: Ensure that the correct and functional hardware MFA device(s), such as hardware tokens or smart cards, are available for use.
- 3.
Check MFA Configuration: Verify the MFA configuration settings for the IAM root user. Ensure that the hardware MFA option is selected and enabled.
- 4.
Test MFA Device: Test the hardware MFA device(s) to ensure they are working properly. Follow the manufacturer's instructions for testing and troubleshooting the specific device.
Necessary Code
There is no specific code required for this rule. However, you may need to utilize AWS Command Line Interface (CLI) commands for accessing and managing IAM user settings.
Step-by-Step Guide for Remediation
To enable IAM root user hardware MFA for FedRAMP Moderate Revision 4 compliance, follow these step-by-step instructions:
- 1.
Access AWS Management Console: Log in to the AWS Management Console using the root user credentials.
- 2.
Open the IAM Service: Once logged in, navigate to the IAM service by searching for "IAM" in the AWS Management Console search bar and selecting the appropriate result.
- 3.
Access the Root User Details: On the IAM dashboard, click on the "Users" tab from the left-hand menu. Locate and click on the root user from the list of users.
- 4.
Enable Hardware MFA: In the root user's details page, scroll down to the "Security" section and click on the "Enable MFA" button.
- 5.
Configure MFA Device: On the "Manage MFA Device" page, select the "A hardware MFA device" option and click on the "Continue" button.
- 6.
Follow Device Setup Instructions: Follow the on-screen instructions to set up the hardware MFA device. This may involve inserting the hardware token or smart card into the appropriate reader.
- 7.
Complete Device Configuration: Once the hardware MFA device is set up, click on the "Assign MFA device" button to complete the configuration.
- 8.
Verify MFA Setup: After completing the configuration, return to the root user's details page. The hardware MFA device status should show as "Enabled" under the "Security" section.
- 9.
Test MFA Authentication: To ensure the hardware MFA is functioning correctly, log out of the AWS Management Console, and attempt to log back in using the root user credentials. Follow the prompts to enter the MFA code generated by the hardware device.
- 10.
Document and Validate: Document the successful enabling of IAM root user hardware MFA and validate that it meets the FedRAMP Moderate Revision 4 compliance requirements.
Note: It is essential to securely store the hardware MFA device and ensure that it remains accessible to authorized personnel only.
By following these steps, you can successfully enable IAM root user hardware MFA for FedRAMP Moderate Revision 4 compliance.