Rule: IAM Users with Console Access Should Have MFA Enabled
This rule ensures that IAM users with console access have multi-factor authentication enabled for enhanced security.
| Rule | IAM users with console access should have MFA enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
IAM Users with Console Access Should Have MFA Enabled for FedRAMP Moderate Revision 4
Overview
Multi-Factor Authentication (MFA) is a security process that requires users to authenticate using more than one method of verification. For Amazon Web Services (AWS) Identity and Access Management (IAM), enabling MFA helps to secure user accounts and comply with various security standards, including the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4.
FedRAMP Moderate Revision 4 is a compliance standard that includes requirements for federal agencies to implement stringent security controls. One of these controls is that all user accounts with console access must have MFA enabled.
Troubleshooting MFA Issues
Common Problems
- 1.User cannot log in after MFA is enabled.
- 2.MFA device is lost or not working.
- 3.MFA codes are consistently rejected.
Troubleshooting Steps
- 1.Ensure the user's MFA device is properly configured and synchronized with the AWS server's time.
- 2.If the MFA device is lost, an administrator can deactivate MFA to allow the user to sign in and reconfigure a new device.
- 3.Verify that the user is entering the correct MFA code, and there's no typo or delay that may cause the code to expire.
Required CLI Command to Enable MFA
To enable MFA for an IAM user via the AWS Command Line Interface (CLI), you'll need to perform the following steps:
- 1.Attach an MFA device to the IAM user.
- 2.Enable the MFA device.
- 3.Require the user to authenticate using MFA when logging in to the AWS Console.
# 1. Attach a virtual MFA device (you can also use a hardware device) aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-base32-string-file> --bootstrap-method QRCodePNG # 2. Enable the MFA device for the user aws iam enable-mfa-device --user-name <username> --serial-number <arn-of-the-mfa-device> --authentication-code1 <first-code> --authentication-code2 <second-code> # 3. The CLI does not support enforcing MFA for console login. This must be done through IAM policies.
Step-by-Step Guide for MFA Enforcement Policy
To require MFA for IAM users with console access, you should create and apply an IAM policy that enforces MFA authentication. Follow these steps:
Step 1: Create IAM Policy
Create a policy that denies all actions if MFA is not used.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}
]
}
Step 2: Attach Policy to IAM Users
Attach the created policy to the IAM users or groups that require MFA.
# Attach the policy to a user aws iam attach-user-policy --policy-arn <arn-of-the-MFA-policy> --user-name <username> # Attach the policy to a group aws iam attach-group-policy --policy-arn <arn-of-the-MFA-policy> --group-name <group-name>
Step 3: Verify Compliance
Ensure all IAM users with console access have MFA enabled.
# List all IAM users aws iam list-users # Check MFA status for a user aws iam list-mfa-devices --user-name <username>
Remediation: Enabling MFA in AWS Management Console
Admins can enforce MFA by enabling it through the AWS Management Console.
- 1.Navigate to the IAM dashboard.
- 2.Select the user and go to the "Security credentials" tab.
- 3.Under "Assigned MFA device," choose "Manage."
- 4.Follow the steps to set up a virtual MFA or hardware MFA device.
Recap: Ensure compliance with FedRAMP Moderate Revision 4 by mandating MFA for IAM users with console access. Utilize the AWS CLI and Management Console as per the steps to enforce, manage, and troubleshoot MFA, enhancing overall security posture within AWS environments.