Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: IAM Users with Console Access Should Have MFA Enabled

This rule ensures that IAM users with console access have multi-factor authentication enabled for enhanced security.

RuleIAM users with console access should have MFA enabled
FrameworkFedRAMP Moderate Revision 4
Severity
High

IAM Users with Console Access Should Have MFA Enabled for FedRAMP Moderate Revision 4

Overview

Multi-Factor Authentication (MFA) is a security process that requires users to authenticate using more than one method of verification. For Amazon Web Services (AWS) Identity and Access Management (IAM), enabling MFA helps to secure user accounts and comply with various security standards, including the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4.

FedRAMP Moderate Revision 4 is a compliance standard that includes requirements for federal agencies to implement stringent security controls. One of these controls is that all user accounts with console access must have MFA enabled.

Troubleshooting MFA Issues

Common Problems

  1. 1.
    User cannot log in after MFA is enabled.
  2. 2.
    MFA device is lost or not working.
  3. 3.
    MFA codes are consistently rejected.

Troubleshooting Steps

  1. 1.
    Ensure the user's MFA device is properly configured and synchronized with the AWS server's time.
  2. 2.
    If the MFA device is lost, an administrator can deactivate MFA to allow the user to sign in and reconfigure a new device.
  3. 3.
    Verify that the user is entering the correct MFA code, and there's no typo or delay that may cause the code to expire.

Required CLI Command to Enable MFA

To enable MFA for an IAM user via the AWS Command Line Interface (CLI), you'll need to perform the following steps:

  1. 1.
    Attach an MFA device to the IAM user.
  2. 2.
    Enable the MFA device.
  3. 3.
    Require the user to authenticate using MFA when logging in to the AWS Console.
# 1. Attach a virtual MFA device (you can also use a hardware device)
aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-base32-string-file> --bootstrap-method QRCodePNG

# 2. Enable the MFA device for the user
aws iam enable-mfa-device --user-name <username> --serial-number <arn-of-the-mfa-device> --authentication-code1 <first-code> --authentication-code2 <second-code>

# 3. The CLI does not support enforcing MFA for console login. This must be done through IAM policies.

Step-by-Step Guide for MFA Enforcement Policy

To require MFA for IAM users with console access, you should create and apply an IAM policy that enforces MFA authentication. Follow these steps:

Step 1: Create IAM Policy

Create a policy that denies all actions if MFA is not used.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
        }
    ]
}

Step 2: Attach Policy to IAM Users

Attach the created policy to the IAM users or groups that require MFA.

# Attach the policy to a user
aws iam attach-user-policy --policy-arn <arn-of-the-MFA-policy> --user-name <username>

# Attach the policy to a group
aws iam attach-group-policy --policy-arn <arn-of-the-MFA-policy> --group-name <group-name>

Step 3: Verify Compliance

Ensure all IAM users with console access have MFA enabled.

# List all IAM users
aws iam list-users

# Check MFA status for a user
aws iam list-mfa-devices --user-name <username>

Remediation: Enabling MFA in AWS Management Console

Admins can enforce MFA by enabling it through the AWS Management Console.

  1. 1.
    Navigate to the IAM dashboard.
  2. 2.
    Select the user and go to the "Security credentials" tab.
  3. 3.
    Under "Assigned MFA device," choose "Manage."
  4. 4.
    Follow the steps to set up a virtual MFA or hardware MFA device.

Recap: Ensure compliance with FedRAMP Moderate Revision 4 by mandating MFA for IAM users with console access. Utilize the AWS CLI and Management Console as per the steps to enforce, manage, and troubleshoot MFA, enhancing overall security posture within AWS environments.

Is your System Free of Underlying Vulnerabilities?
Find Out Now