IAM Root User Hardware MFA Enabled Rule
This rule ensures that IAM root user has hardware MFA enabled.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | HIPAA |
| Severity | ✔ Critical |
Enabling Hardware MFA for IAM Root User for HIPAA Compliance
Introduction
Under the Health Insurance Portability and Accountability Act (HIPAA), it is essential to implement strong access control measures for ensuring the security of Protected Health Information (PHI). One of the key requirements is to safeguard the AWS IAM root user account with Multi-Factor Authentication (MFA), specifically using a hardware MFA device for added security.
Detailed Rule Description
For HIPAA compliance, it is mandatory that the AWS IAM root user has multi-factor authentication enabled using a hardware MFA device. Hardware MFA offers an additional layer of security as it requires physical possession of a device which generates a one-time passcode. This requirement mitigates the risks associated with compromised credentials by ensuring that only the authorized personnel with the hardware MFA device can access the root user account.
Prerequisites
Before enabling hardware MFA, obtain a compatible hardware MFA device, such as a hardware token from a manufacturer like Gemalto or Yubico that supports the time-based one-time password (TOTP) protocol.
Steps to Enable Hardware MFA
Step 1: Sign in to the AWS Management Console as the Root User
Access the AWS Management Console using your AWS account email address and password.
Step 2: Open the IAM Console
Navigate to the IAM console by searching for 'IAM' in the services search bar.
Step 3: Access the Security Credentials Page
In the navigation pane of the IAM console, click on "Dashboard" and look for the "Security Status" section. Then, click 'Activate MFA on your root user account'.
Step 4: Register the Hardware MFA Device
- Choose "Multi-factor authentication (MFA)" and then click on "Activate MFA."
- Select "A hardware MFA device" and click "Continue."
- Follow the on-screen instructions to enter the serial number and the MFA code generated by the hardware device.
- Provide two consecutive MFA codes to finalize the sync process.
Common Troubleshooting Steps
If you are having difficulty enabling hardware MFA, consider the following troubleshooting steps:
Check Device Compatibility
Ensure your hardware MFA device is compatible with AWS and supports the TOTP protocol.
Sync Timing Issues
If codes from your device do not work, ensure the device has accurate time as TOTP tokens are time-sensitive.
Serial Number Entry
Double-check that the serial number entered during the setup matches exactly with the number on the hardware MFA device.
Device Reset
If the device is not working properly, you may need to reset it according to the manufacturer’s instructions and restart the syncing process.
CLI Commands
There is no AWS CLI command for enabling MFA on the root account. This action must be performed within the AWS Management Console.
Remediation
If your hardware MFA is lost or needs to be replaced:
- 1.Log in to your root account using the latest MFA code from your device.
- 2.Go to the "Security Credentials" page.
- 3.Click on "Manage MFA Device".
- 4.Select the device and use the "Deactivate MFA Device" option to remove it.
- 5.Go through the "Register a new hardware MFA device" process with your new device.
Following this guide ensures that the IAM root user for your AWS account is protected with hardware MFA, maintaining HIPAA compliance and securing access to your AWS environment. Being precise and efficient in enabling hardware MFA aids in reducing the exposure to unauthorized access and potential data breaches.