This rule states that IAM users with console access must have multi-factor authentication (MFA) enabled for added security.
Rule | IAM users with console access should have MFA enabled |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ High |
Rule Description
This rule enforces the requirement that IAM users with console access must have Multi-Factor Authentication (MFA) enabled. This is in compliance with the NIST 800-171 Revision 2 security standards. MFA adds an extra layer of security to the authentication process by requiring users to provide two or more different types of authentication factors, such as a password and a one-time generated code from a physical or virtual device.
Troubleshooting Steps
Necessary Codes
There are no specific codes associated with this rule. However, you can use the AWS Command Line Interface (CLI) to retrieve information about IAM users and their MFA status. The following command can be used to list the IAM users with MFA enabled:
aws iam list-users \ --query 'Users[?MfaDevices != `null`].UserName'
Step-by-Step Guide for Remediation
To ensure IAM users with console access have MFA enabled, follow these steps:
Access the AWS Management Console using an IAM user with administrative privileges.
Open the IAM service by searching for "IAM" in the AWS services search bar and selecting it.
In the navigation pane on the left, click on "Users" to view the list of IAM users.
Identify the IAM users without MFA enabled by checking the "MFA Device" column.
Select an IAM user without MFA enabled and click on the "Security credentials" tab.
In the "Assigned MFA device" section, click on the "Manage" link.
When prompted, choose the appropriate MFA device type (hardware or virtual).
Follow the on-screen instructions to set up the MFA device for the selected IAM user.
Repeat steps 5-8 for each IAM user without MFA enabled.
After setting up MFA for each user, verify MFA status by running the following command in the AWS CLI:
aws iam list-users \ --query 'Users[?MfaDevices != `null`].UserName'
Ensure that all IAM users with console access now have MFA enabled.
Conclusion
Enforcing MFA for IAM users with console access enhances the security posture of your AWS environment, aligning it with NIST 800-171 Revision 2 standards. By following the step-by-step guide outlined above, you can ensure that all IAM users have MFA enabled and comply with security best practices.