IAM Root User Hardware MFA Enabled Rule

This rule ensures that IAM root user hardware MFA is enabled for enhanced security measures.

Rule	IAM root user hardware MFA should be enabled
Framework	NIST 800-171 Revision 2
Severity	✔ Critical

IAM Root User Hardware MFA Requirement for NIST 800-171 Revision 2

Rule Description

To comply with the NIST 800-171 Revision 2 security standard, it is necessary to enable Multi-Factor Authentication (MFA) for the root user in the AWS Identity and Access Management (IAM) service. Enabling hardware-based MFA for the root user ensures an additional layer of security and helps protect against unauthorized access to sensitive resources and data.

Troubleshooting Steps

If there are any issues encountered during the MFA setup, the following troubleshooting steps can be followed:

1.
Verify that the hardware MFA device is compatible with AWS IAM.

2.
Validate that the MFA device is correctly synced with the MFA service.

3.
Ensure that the MFA device is properly activated and configured.

4.
Double-check the IAM user policy to verify that the root user has the appropriate permissions to enable MFA.

Necessary Codes

The following AWS CLI command can be used to enable hardware MFA for the root user:

aws iam enable-mfa-device --user-name <root-user-name> --authentication-code1 <code-one> --authentication-code2 <code-two> [--serial-number <serial-number>]

Step-by-Step Guide for Remediation

1.
Log in to your AWS Management Console with the root user credentials.

2.
Open the IAM service from the AWS Management Console.

3.
In the navigation pane on the left, click on "Users."

4.
Select the root user from the user list.

5.
Click on the "Security credentials" tab.

6.
Under the "Multi-Factor Authentication (MFA)" section, click on "Manage."

7.
In the "Manage MFA Device" dialog box, select "Hardware MFA device."

8.
Follow the instructions provided to synchronize your hardware MFA device with AWS IAM.

9.
Once the device is successfully synchronized, click on "Assign MFA Device."

10.
Enter the authentication codes from the MFA device in the prompted fields.

11.
Click on "Assign MFA Device" to enable hardware MFA for the root user.

Note: If necessary, provide the

--serial-number

parameter in the AWS CLI command with the serial number of the MFA device.

Conclusion

Enabling hardware MFA for the root user in AWS IAM is a fundamental step in meeting the NIST 800-171 Revision 2 security requirements. Following the provided troubleshooting steps and using the provided AWS CLI command can help ensure a secure and compliant environment.

IAM Root User Hardware MFA Enabled Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Conclusion

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Description

Troubleshooting Steps

Necessary Codes

Step-by-Step Guide for Remediation

Conclusion

Is your System Free of Underlying Vulnerabilities?
Find Out Now