IAM Users with Console Access Should Have MFA Enabled Rule
This rule emphasizes the importance of enabling multi-factor authentication for IAM users with console access.
| Rule | IAM users with console access should have MFA enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description
IAM users with console access should have Multi-Factor Authentication (MFA) enabled for compliance with FedRAMP Moderate Revision 4 security standards. MFA provides an additional layer of security by requiring users to provide a second form of authentication, in addition to their password, before gaining access to AWS resources via the AWS Management Console.
Troubleshooting Steps
If an IAM user with console access does not have MFA enabled, you can follow these troubleshooting steps:
- 1.
Verify MFA Configuration: Check the IAM user's MFA configuration to ensure it is correctly set up. Verify that the user has an assigned MFA device and that it is enabled.
- 2.
Verify Console Access: Ensure that the IAM user has permission to access the AWS Management Console. Check the user's policy and confirm they have the necessary permissions.
- 3.
Check MFA Device: Ensure that the MFA device is functioning properly. This may involve verifying that the device is synced correctly or troubleshooting any issues with the device itself.
- 4.
Test MFA Authentication: Validate that the MFA authentication is working as expected. Attempt to log in to the AWS Management Console with the IAM user's credentials and MFA device to verify successful authentication.
Necessary Codes
To enforce MFA for IAM users with console access, you can use the AWS Command Line Interface (CLI) and the AWS Identity and Access Management (IAM) service.
The following code snippet demonstrates how to create an IAM policy that requires MFA for console access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceMFAForConsoleAccess",
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Ensure you replace
SidEffectActionResourceStep-by-Step Guide for Remediation
Follow these steps to enable MFA for IAM users with console access:
- 1.
Log in to the AWS Management Console using an IAM user with sufficient permissions to manage IAM policies.
- 2.
Navigate to the IAM service.
- 3.
Select "Users" from the left-hand navigation menu.
- 4.
Locate the IAM user for whom you want to enable MFA and click on their username.
- 5.
Within the user details page, scroll down to the "Security credentials" section.
- 6.
Click on the "Manage" button next to "Assigned MFA device".
- 7.
Follow the on-screen instructions to configure the MFA device for the user. This typically involves selecting an MFA device type and associating it with the user's account.
- 8.
Once the MFA device is successfully associated, the user will need to activate it by following additional instructions provided by the MFA device manufacturer.
- 9.
After the MFA device is activated, the user will be prompted to use it for authentication the next time they log in to the AWS Management Console.
- 10.
Test the MFA authentication by attempting to log in to the AWS Management Console with the IAM user's credentials and MFA device. Ensure that the login process requires the second step of authentication using the MFA device.
By following these steps, you can enable MFA for IAM users with console access, ensuring compliance with the FedRAMP Moderate Revision 4 security standards.