Rule: IAM Root User Hardware MFA should be Enabled
This rule ensures that the IAM root user has hardware MFA enabled for secure authentication.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
IAM Root User Hardware MFA Requirement for FedRAMP Moderate Revision 4
FedRAMP (Federal Risk and Authorization Management Program) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. For FedRAMP Moderate Revision 4, one of the requirements is that the Identity and Access Management (IAM) root user account should have hardware-based multi-factor authentication (MFA) enabled to enhance security.
Rule Details
The IAM root user has unrestricted access to all resources within the AWS account. To protect this highly privileged account, it's essential to enable MFA, which adds an additional layer of security on top of the username and password. For FedRAMP Moderate Revision 4, hardware MFA devices are preferred over virtual MFA because hardware devices are considered to be more secure.
Enabling hardware MFA for the root user ensures that changes to AWS resources and services can only be made by someone in possession of both the password and the hardware MFA device. This reduces the risk of unauthorized access resulting from compromised credentials.
Troubleshooting Steps
If you encounter issues when enabling hardware MFA, perform the following steps:
- 1.Verify the hardware MFA device is supported by AWS.
- 2.Check that the time on the hardware MFA device is in sync with the AWS servers.
- 3.Ensure that you’re entering the correct MFA code from your device.
- 4.If the device is not being recognized, try unplugging and replugging it into your computer's USB port.
Enabling Hardware MFA
Prerequisites
- You will need a hardware MFA device that is compatible with AWS.
- Have your root account credentials on hand as you will need them to log in to the AWS Management Console.
Step-By-Step Guide
- 1.
Log in to the AWS Management Console with your root user credentials.
- 2.
Navigate to the IAM dashboard.
- 3.
In the IAM dashboard, go to the "Security credentials" tab.
- 4.
In the "Multi-factor authentication (MFA)" section, click on “Activate MFA.”
- 5.
Select “A hardware MFA device” and then click “Continue.”
- 6.
Enter the serial number located on the back or bottom of the hardware MFA device.
- 7.
Enter two consecutive MFA codes from your hardware device into the MFA code 1 and MFA code 2 fields.
- 8.
Click “Activate MFA” to complete the process.
Necessary AWS CLI Commands (For Reference)
Even though the hardware MFA cannot be activated using AWS CLI, you can use the CLI to list MFA devices attached to your root account:
aws iam list-mfa-devices --user-name <root-account-name>
Note: Replace
<root-account-name>Remediation
If the hardware MFA is disabled or not functioning properly:
- 1.Contact AWS Support for assistance with the device.
- 2.If necessary, obtain a new hardware MFA device and repeat the above steps to activate MFA for the root user account.
Post-Configuration
After successfully enabling hardware MFA:
- Store the hardware MFA device in a secure location.
- Review and update your organization's access control policies to reflect the changes.
- Conduct regular trainings for personnel on handling and using the hardware MFA device correctly.
Ensuring that the IAM root user hardware MFA is enabled and functioning is a critical component of meeting FedRAMP Moderate compliance and enhancing the overall security posture of your AWS environment.