IAM Users with Console Access MFA Rule
This rule ensures IAM users with console access have MFA enabled to enhance security.
| Rule | IAM users with console access should have MFA enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description: IAM users with console access should have Multi-Factor Authentication (MFA) enabled in accordance with the NIST 800-53 Revision 5 security standard. This rule helps to protect against unauthorized access to the AWS Management Console by requiring an additional layer of verification in addition to the user's password.
Troubleshooting Steps:
- 1.Verify the rule evaluation status: Check if the IAM users' MFA status is evaluated correctly by the AWS Config service.
- 2.Identify affected IAM users: Determine which IAM users have console access and do not have MFA enabled.
- 3.Check MFA device configuration: Verify that the affected IAM users have properly configured and associated MFA devices.
Remediation Steps:
- 1.
Enable MFA for affected IAM users: For each IAM user identified as lacking MFA, follow these steps to enable MFA. a. Sign in to the AWS Management Console using an account with sufficient permissions. b. Open the IAM console. c. In the navigation pane, select "Users". d. Search for and select the IAM user without MFA enabled. e. Select the "Security credentials" tab. f. Under "Assigned MFA device", click on the "Manage" button. g. In the MFA device management page, click on the "Activate MFA" button. h. Follow the instructions to set up an MFA device for the user, such as a virtual MFA device or a hardware MFA device. i. Once the MFA device is set up, choose "Continue" to complete the activation process.
- 2.
Enable MFA for new IAM users: To enforce this rule for newly created IAM users, you can create an IAM policy and apply it to the corresponding IAM user or group. Here is an example of a policy that enforces MFA for all new IAM users:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Action":[
"iam:CreateUser",
"iam:EnableMFADevice",
"iam:DeleteUser",
"iam:DeactivateMFADevice"
],
"Resource":"*",
"Condition":{
"BoolIfExists":{
"aws:MultiFactorAuthPresent":"false"
}
}
}
]
}
After creating the policy, attach it to the predefined IAM group or user creation process to enforce MFA during user creation.
- 1.Regularly review and enforce MFA compliance: Create a periodic review process to check for IAM users without MFA enabled and take appropriate actions, such as disabling console access or enforcing MFA for those users.
Note: It is recommended to integrate MFA with AWS Single Sign-On (SSO) to simplify MFA management across multiple AWS accounts and services.
Keep in mind that enabling MFA for IAM users with console access enhances the security of your AWS environment, aligning with NIST 800-53 Revision 5 guidelines.