IAM Root User MFA Enabled Rule
This rule ensures that MFA is enabled for the IAM root user.
| Rule | IAM root user MFA should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Description of the Rule
To ensure compliance with NIST 800-53 Revision 5 for IAM root user, Multi-Factor Authentication (MFA) should be enabled. The IAM root user has unrestricted access and control over all resources and services within an AWS account. Enabling MFA adds an extra layer of security to the root user's login process, requiring an additional verification step.
MFA is a security feature that combines something you know (password) with something you possess (MFA device) to verify your identity. By enabling MFA for the IAM root user, it becomes highly unlikely for unauthorized individuals to gain access to your AWS account.
Troubleshooting Steps (if applicable)
If MFA is not enabled for the IAM root user, the following troubleshooting steps can be followed:
- 1.Ensure that you have access and permissions to manage IAM users and settings in your AWS account.
- 2.Check if there are any existing virtual or hardware MFA devices associated with the root user.
- 3.Make sure you have a compatible MFA device available (e.g., MFA app on a smartphone or a physical hardware device).
- 4.Verify that the root user's password is up to date. If needed, reset the password to a strong and unique one.
- 5.Ensure that you have administrative access to your AWS Management Console.
Necessary Codes (if applicable)
No specific code is required for enabling MFA for the IAM root user. It can be done through the AWS Management Console or AWS CLI.
Step-by-Step Guide for Remediation:
Follow the step-by-step guide below to enable MFA for the IAM root user:
- 1.Sign in to the AWS Management Console as the root user using your root user credentials.
- 2.Open the IAM service.
- 3.In the left navigation pane, click on "Dashboard."
- 4.Under "Security Status," locate the "Activate MFA on your root account" section and click on "Manage MFA."
- 5.On the "Manage MFA Device" page, select "Virtual MFA device" or "U2F security key" depending on your preference.
- Virtual MFA device: Select this option if you want to use a compatible MFA app on your smartphone to generate MFA codes.
- U2F security key: Select this option if you have a compatible physical hardware device.
- 6.Follow the on-screen instructions to complete the setup for your chosen MFA device type.
- 7.Once the MFA device is successfully configured, you will be prompted to perform the MFA verification step during future root user logins.
- 8.Verify that MFA has been enabled by attempting to log in as the root user and completing the MFA verification process.
Congratulations! You have successfully enabled MFA for the IAM root user, aligning with the NIST 800-53 Revision 5 compliance requirement. This additional layer of security helps protect your AWS account from unauthorized access and reduces the risk of security breaches. Remember to securely store and maintain your MFA device to ensure continued access to your AWS account.