IAM Root User MFA Enabled Rule
This rule ensures that IAM root user multi-factor authentication (MFA) is enabled for enhanced security.
| Rule | IAM root user MFA should be enabled |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The rule requires that Multi-Factor Authentication (MFA) should be enabled for the root user in AWS Identity and Access Management (IAM) to comply with the NIST 800-53 Revision 4 security control.
Enabling MFA for the root user adds an extra layer of security by requiring an additional form of authentication, such as a physical token or a mobile application, in addition to the regular username and password.
Troubleshooting Steps:
If MFA is not enabled for the root user, the following troubleshooting steps can be followed:
- 1.
Ensure that you have sufficient privileges to modify the root user's MFA settings.
- 2.
Check if any existing virtual MFA device is attached to the root user. If not, proceed to the next step.
- 3.
If MFA is already enabled for the root user but not compliant with NIST 800-53 Revision 4, you may need to update the MFA configuration to meet the compliance requirements.
- 4.
If you encounter any errors or issues during the MFA setup or configuration, cross-check the steps you have followed with the official AWS documentation or seek assistance from AWS support.
Necessary Codes:
There are no specific codes required to enable MFA for the root user. However, you will need to follow a series of steps in the AWS Management Console or use AWS Command Line Interface (CLI) commands to enable MFA effectively.
Step-by-step Guide for Remediation:
Follow these steps to enable MFA for the root user in AWS IAM:
- 1.
Login to the AWS Management Console using your root user credentials.
- 2.
Navigate to the IAM service by searching for "IAM" in the services search bar.
- 3.
In the IAM dashboard, on the left-hand side, click on "Users" to view the list of IAM users.
- 4.
Locate the "root" user in the list and click on its username to access the user details.
- 5.
In the "Security credentials" tab, you will find the MFA device section. Click on the "Manage" link next to the "Assigned MFA device" field.
- 6.
In the "Manage MFA device" dialog box, choose the type of MFA device you want to associate with the root user. It can be a virtual MFA device or a physical MFA device.
- 7.
Follow the on-screen instructions to configure the chosen MFA device type. This may include scanning QR codes, entering codes generated by the device, or other device-specific steps.
- 8.
Once you have successfully configured the MFA device, AWS will ask you to provide an authentication code generated by the device for verification.
- 9.
Enter the authentication code to complete the MFA setup.
- 10.
After enabling MFA, ensure that you securely store your MFA device or backup codes and follow best practices for MFA device management.
- 11.
Verify that MFA is enabled and working correctly by logging out of the AWS Management Console and logging back in, providing the MFA code when prompted.
By completing these steps, you will have successfully enabled MFA for the root user in AWS IAM, in compliance with the NIST 800-53 Revision 4 security control.