This rule ensures that IAM users with console access have multi-factor authentication enabled for enhanced security.
Rule | IAM users with console access should have MFA enabled |
Framework | FedRAMP Moderate Revision 4 |
Severity | ✔ High |
IAM Users with Console Access Should Have MFA Enabled for FedRAMP Moderate Revision 4
Overview
Multi-Factor Authentication (MFA) is a security process that requires users to authenticate using more than one method of verification. For Amazon Web Services (AWS) Identity and Access Management (IAM), enabling MFA helps to secure user accounts and comply with various security standards, including the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4.
FedRAMP Moderate Revision 4 is a compliance standard that includes requirements for federal agencies to implement stringent security controls. One of these controls is that all user accounts with console access must have MFA enabled.
Troubleshooting MFA Issues
Common Problems
Troubleshooting Steps
Required CLI Command to Enable MFA
To enable MFA for an IAM user via the AWS Command Line Interface (CLI), you'll need to perform the following steps:
# 1. Attach a virtual MFA device (you can also use a hardware device) aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <path-to-base32-string-file> --bootstrap-method QRCodePNG # 2. Enable the MFA device for the user aws iam enable-mfa-device --user-name <username> --serial-number <arn-of-the-mfa-device> --authentication-code1 <first-code> --authentication-code2 <second-code> # 3. The CLI does not support enforcing MFA for console login. This must be done through IAM policies.
Step-by-Step Guide for MFA Enforcement Policy
To require MFA for IAM users with console access, you should create and apply an IAM policy that enforces MFA authentication. Follow these steps:
Step 1: Create IAM Policy
Create a policy that denies all actions if MFA is not used.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}
]
}
Step 2: Attach Policy to IAM Users
Attach the created policy to the IAM users or groups that require MFA.
# Attach the policy to a user aws iam attach-user-policy --policy-arn <arn-of-the-MFA-policy> --user-name <username> # Attach the policy to a group aws iam attach-group-policy --policy-arn <arn-of-the-MFA-policy> --group-name <group-name>
Step 3: Verify Compliance
Ensure all IAM users with console access have MFA enabled.
# List all IAM users aws iam list-users # Check MFA status for a user aws iam list-mfa-devices --user-name <username>
Remediation: Enabling MFA in AWS Management Console
Admins can enforce MFA by enabling it through the AWS Management Console.
Recap: Ensure compliance with FedRAMP Moderate Revision 4 by mandating MFA for IAM users with console access. Utilize the AWS CLI and Management Console as per the steps to enforce, manage, and troubleshoot MFA, enhancing overall security posture within AWS environments.