This rule specifies that the IAM root user MFA must be enabled to enhance security measures.
Rule | IAM root user MFA should be enabled |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ Medium |
Rule Description
To comply with NIST 800-171 Revision 2 security guidelines, the IAM root user Multi-Factor Authentication (MFA) must be enabled. MFA adds an extra layer of security by requiring an additional form of authentication, in addition to the password, making unauthorized access more difficult.
How to Verify Compliance
Open the AWS Management Console.
Sign in to the AWS Management Console using the root user credentials.
Go to the "Services" menu and select "IAM".
In the IAM console, select "Dashboard" from the left navigation panel.
Look for the "Security Status" section on the dashboard.
Under the "Security Status" section, find the "Root User MFA" row.
If the root user MFA status is "Not enabled", the compliance requirement is not fulfilled.
Troubleshooting Steps
If the root user MFA is not enabled, follow the steps below to troubleshoot and enable MFA:
Make sure you are signed in as the root user in the AWS Management Console.
From the IAM console, select "Dashboard" from the left navigation panel.
Look for the "Security Status" section on the dashboard.
Under the "Security Status" section, find the "Root User MFA" row.
Click on the "Manage" link on the right side of the "Root User MFA" row.
On the next page, click the "Activate MFA" button.
Follow the on-screen instructions to set up MFA for the root user.
Choose either a virtual MFA device or a hardware MFA device.
If selecting a virtual MFA device, install an authenticator app on your mobile device and follow the instructions provided on the screen to configure it.
If selecting a hardware MFA device, follow the instructions provided with the device to set it up.
Once MFA is set up successfully, you will see the "Root User MFA" status as "Enabled" on the IAM dashboard.
Necessary Codes (if applicable)
No code is necessary to enable MFA for the root user. This configuration requires manual steps from the AWS Management Console.
Remediation Steps
To enable MFA for the root user, follow these step-by-step instructions:
Sign in to the AWS Management Console using the root user credentials.
Open the IAM console.
Click on "Dashboard" in the left navigation panel.
Locate the "Security Status" section on the dashboard.
Under the "Security Status" section, find the "Root User MFA" row.
Click on the "Manage" link on the right side of the "Root User MFA" row.
On the next page, click the "Activate MFA" button.
Follow the on-screen instructions to set up MFA for the root user.
Choose either a virtual MFA device or a hardware MFA device.
If selecting a virtual MFA device, install an authenticator app on your mobile device and follow the instructions provided on the screen to configure it.
If selecting a hardware MFA device, follow the instructions provided with the device to set it up.
Once MFA is set up successfully, you will see the "Root User MFA" status as "Enabled" on the IAM dashboard.
Conclusion
Enabling Multi-Factor Authentication (MFA) for the AWS IAM root user is crucial to comply with the NIST 800-171 Revision 2 security guidelines. By following the detailed steps outlined above, you can easily verify and enable MFA for the root user in the AWS Management Console. Enhancing the security of the root user account reduces the risk of unauthorized access and strengthens the overall security posture of your AWS account.