IAM Root User Hardware MFA Enabled Rule
This rule ensures that IAM root user hardware MFA is enabled for improved security measures.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Critical |
Rule Description:
The rule requires that hardware Multi-Factor Authentication (MFA) is enabled for the root user in the AWS Identity and Access Management (IAM) account. This is specifically applicable to Federal Financial Institutions Examination Council (FFIEC) regulations.
Troubleshooting Steps:
- 1.
Verify AWS Account Type: Ensure that your AWS account falls under the category of Federal Financial Institutions Examination Council (FFIEC) regulated institutions. If not, this rule does not apply to your organization.
- 2.
Check IAM Policies: Verify if the IAM policies associated with the root user include MFA requirements. Review the policies to ensure that hardware MFA is not only enabled but also mandatory for sign-in.
- 3.
IAM User Status: Ensure the root user account is active in IAM. It should not be suspended or disabled.
- 4.
Hardware MFA: Confirm that a hardware MFA device, such as a key fob or smart card, is assigned and available for the root user in your AWS account.
Necessary Code:
There is no specific code required for this rule, as it is primarily governed by IAM policies and configurations.
Remediation Steps:
- 1.Enable IAM MFA: Sign in to the AWS Management Console as the root user.
- 2.Open the IAM service.
- 3.In the navigation pane, choose "Users".
- 4.Select the root user from the user list.
- 5.In the "Security credentials" tab, click on "Manage" next to "Assigned MFA device".
- 6.Follow the on-screen instructions to set up a hardware MFA device for the root user.
- 7.Once the hardware MFA device is set up, ensure that it is always available for use and properly assigned to the root user.
Note: It is highly recommended to have additional IAM users with appropriate permissions for day-to-day operations and restrict the use of the root user account to only necessary tasks.