Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Root User MFA Enabled Rule

Check if IAM root user MFA is enabled for enhanced security measures.

RuleIAM root user MFA should be enabled
FrameworkFedRAMP Moderate Revision 4
Severity
Medium

IAM Root User MFA Should Be Enabled for FedRAMP Moderate Revision 4

Enabling Multi-Factor Authentication (MFA) for the AWS Identity and Access Management (IAM) root user is a security best practice and a requirement for FedRAMP Moderate Revision 4 compliance. It ensures that the access to AWS services and resources is protected by requiring not only a password but also a second form of authentication.

FedRAMP Requirement

For FedRAMP Moderate Revision 4 compliance, enabling MFA on the root account is critical. FedRAMP standards are designed to protect government data in the cloud, and compliance requires strict adherence to these security protocols.

Detailed Description and Importance

The root user of an AWS account has full access to all resources in the account. It is the most privileged user in an AWS account. Enabling MFA provides an additional layer of security above a username and password. It requires the root user to present two or more pieces of evidence (or factors) when logging in: something they know (like a password) and something they have (like a one-time passcode from an MFA device).

Troubleshooting Steps

  • Check MFA Status: Verify if MFA is enabled on the root account by signing into the AWS Management Console with root credentials and checking the Security Status section on the Dashboard.
  • Device Issues: If you are unable to access the AWS account using an MFA device, consider using backup methods such as a backup authentication code or contacting AWS support.

Remediation Steps

Step 1: Sign in as Root User

Log into the AWS Management Console using the root user credentials.

Step 2: Navigate to the IAM Dashboard

On the AWS Management Console home page, click on "Services" then select "IAM" to access the IAM Dashboard.

Step 3: Enable MFA

Go to the Security Status Section

Locate the "Activate MFA on your root account" option in the Security Status section.

Setup MFA Device

Click "Manage MFA Device" and follow the prompts.

Virtual MFA Device

  • Select "A virtual MFA device" and click on "Next Step".
  • Use an MFA app such as Google Authenticator, Authy, or a similar app to scan the QR code.
  • Enter two consecutive MFA codes generated by your application to finalize the setup.

Hardware MFA Device

  • If using a hardware MFA device, select "A hardware MFA device" and follow the vendor instructions to provision the device.

Step 4: Finalize Setup

Once the MFA device is set up, AWS will confirm that MFA is now active on the root account. Ensure that the MFA token is stored securely.

Necessary CLI Command

Although on the root account, it's more common to perform these actions in the AWS Management Console, you can manage MFA devices with the AWS CLI for IAM users:

aws iam enable-mfa-device \
  --user-name <root-username> \
  --serial-number <mfa-device-serial-number> \
  --authentication-code1 <first-code> \
  --authentication-code2 <second-code>

Note: Replace

<root-username>
,
<mfa-device-serial-number>
,
<first-code>
, and
<second-code>
with your actual root account username, the serial number of your MFA device, and the two consecutive codes from your MFA device.

Keep in mind that CLI commands are not typically used for root accounts but rather for IAM users within an account.

SEO-Friendly Conclusion

Ensuring that MFA is enabled for the IAM root user is not only a smart security move but also a compliance necessity for FedRAMP Moderate Revision 4. By following this guide, organizations can meet federal requirements and safeguard their critical cloud-based assets against unauthorized access.

Is your System Free of Underlying Vulnerabilities?
Find Out Now