This rule ensures IAM users with console access have MFA enabled.
Rule | IAM users with console access should have MFA enabled |
Framework | GxP 21 CFR Part 11 |
Severity | ✔ High |
Rule Description:
IAM users with console access should have Multi-Factor Authentication (MFA) enabled in order to comply with the GxP 21 CFR Part 11 requirements. MFA adds an additional layer of security by requiring users to provide a second form of verification, such as a code from a mobile app or a physical token, in addition to their regular username and password when logging into the AWS Management Console.
Troubleshooting Steps (if MFA is not enabled):
If MFA is not enabled for an IAM user with console access, follow these troubleshooting steps:
1. Verify IAM User Permissions:
Ensure that you have sufficient IAM user permissions to enable MFA. You should have the necessary IAM policy permissions to manage MFA devices for IAM users.
2. Enable MFA for the IAM User:
To enable MFA for an IAM user, follow these steps:
a. Sign in to the AWS Management Console:
Sign in to the AWS Management Console using your credentials.
b. Navigate to the IAM Dashboard:
Go to the IAM service from the AWS Management Console dashboard.
c. Select the IAM User:
Choose the desired IAM user for which you want to enable MFA.
d. Enable MFA for the User:
Click on the "Security credentials" tab and then find the "Multi-factor authentication (MFA)" section.
e. Set Up MFA Device:
From the "Multi-factor authentication (MFA)" section, click on "Manage MFA device" and follow the instructions to set up the MFA device for the IAM user. This can be either a virtual MFA device or a physical MFA device.
f. Test MFA Configuration:
Once the MFA device is set up, test the MFA configuration by signing out and then signing back in as the IAM user. You should be prompted to enter the MFA code after providing your username and password.
Necessary Codes (if applicable):
No specific code is required for enabling MFA for IAM users. The process involves using the AWS Management Console and following the steps mentioned above.
Remediation Steps:
To remediate the non-compliant IAM users without MFA enabled, follow these steps:
1. Identify Non-compliant IAM Users:
Identify the IAM users who do not have MFA enabled by reviewing the user permissions and configuration.
2. Enable MFA for Non-compliant IAM Users:
For each non-compliant IAM user, enable MFA by following the troubleshooting steps mentioned above.
3. Test MFA Configuration:
After enabling MFA for the non-compliant IAM users, test the MFA configuration by signing out and signing back in as each user to ensure that they are prompted for the MFA code.
4. Document and Communicate:
Document the remediation actions taken and communicate the importance of enabling MFA to the users, emphasizing the compliance requirements for GxP 21 CFR Part 11.
By following these steps, you can ensure that IAM users with console access have MFA enabled as per the GxP 21 CFR Part 11 policy. This enhances the security of your AWS environment and helps meet regulatory compliance requirements.