Rule: IAM Root User Hardware MFA Should Be Enabled
This rule checks if the IAM root user has hardware MFA enabled for added security.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Critical |
Rule Description
The rule requires that the root user in the AWS Identity and Access Management (IAM) service has hardware multi-factor authentication (MFA) enabled. This is in accordance with the security requirements outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4.
Remediation Steps
To enable hardware MFA for the root user in the IAM service, follow these steps:
1. Obtain a Hardware MFA Device
Procure a supported hardware MFA device, such as a hardware token or a smart card. These devices generate a unique code that corresponds to the authentication credentials of the root user.
2. Attach the Hardware MFA Device
a. Sign in to the AWS Management Console as the root user. b. Go to the IAM service. c. In the navigation pane, click on "Users." d. Select the root user. e. Click on the "Security credentials" tab. f. In the "Multi-factor authentication (MFA)" section, click on "Manage MFA device." g. Click on "Continue" to proceed to associate a hardware MFA device.
3. Begin MFA Association Process
a. Choose "U2F Security Key" or "Virtual MFA Device" as the MFA type, depending on the hardware MFA device you obtained. b. Follow the on-screen instructions based on the selected MFA type. c. Complete the MFA device association process by providing the required information and validating the device.
4. Enable MFA
a. After the MFA device is successfully associated with the root user, return to the IAM management console. b. In the "Multi-factor authentication (MFA)" section for the root user, choose "Activate MFA." c. Enter the current MFA code generated by your hardware MFA device. d. Click on "Activate MFA" to enable MFA for the root user.
Troubleshooting Steps (if MFA is not working)
If the MFA activation process encounters issues or if the MFA is not functioning correctly, follow these troubleshooting steps:
1. Verify Device Compatibility
Ensure that the hardware MFA device being used is compatible with the AWS IAM service. Refer to the AWS documentation for a list of supported devices.
2. Reset MFA Device
a. Sign into the AWS Management Console as the root user. b. Go to the IAM service, and then click on "Users" in the navigation pane. c. Select the root user. d. Click on the "Security credentials" tab. e. In the "Multi-factor authentication (MFA)" section, click on "Manage MFA device." f. Click on "Deactivate MFA" to remove the existing association. g. Follow the earlier instructions in the "Remediation Steps" section to re-associate the MFA device.
3. Contact AWS Support
If the issue persists or the MFA device fails to work, it is recommended to contact AWS Support for further assistance.
Relevant AWS CLI Commands (if applicable)
Note that enabling MFA for the root user is not directly achievable with AWS CLI. It is recommended to follow the web-based instructions mentioned earlier.
Additional Notes
Enabling hardware MFA for the root user ensures an additional layer of security by requiring a physical device in addition to the user's password. This helps protect against unauthorized access to critical AWS resources and reduces the risk of security breaches.