Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Users with Console Access Should Have MFA Enabled Rule

This rule specifies that IAM users with console access must have MFA enabled for added security.

RuleIAM users with console access should have MFA enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

This rule requires that IAM users with console access have Multi-Factor Authentication (MFA) enabled in order to comply with the security standards outlined in the National Institute of Standards and Technology (NIST) 800-53 Revision 5.

Troubleshooting Steps:

If an IAM user does not have MFA enabled, follow the troubleshooting steps below to remedy the issue:

  1. 1.

    Verify MFA configuration:

    • Ensure that the IAM user has a valid MFA device associated with their account.
    • Check if the MFA device is properly synchronized and functional.
    • Confirm that the IAM user has sufficient permissions to manage their MFA settings.
  2. 2.

    Enable MFA for IAM user:

    • If MFA is not already enabled for the IAM user, proceed to enable it.
    • In the AWS Management Console, navigate to the IAM service.
    • Select the IAM user for whom MFA needs to be enabled.
    • Click on the "Security Credentials" tab.
    • Under "Multi-factor authentication (MFA)", click on "Manage".
    • Follow the on-screen instructions to associate an MFA device with the user's account.
  3. 3.

    Test MFA functionality:

    • Ensure that the MFA device is working properly by testing the authentication process.
    • Attempt to sign in as the IAM user and provide the MFA code when prompted.
    • If the MFA authentication is successful, the user has been properly configured with MFA.

Necessary Code:

There's no specific code required for this rule. However, you can use the AWS Command Line Interface (CLI) to enable MFA for an IAM user if necessary.

Step-by-Step Guide for Remedy:

Follow the step-by-step guide below to enable MFA for an IAM user:

  1. 1.

    Install and configure the AWS CLI (if not already installed) - Refer to the AWS CLI documentation for instructions specific to your operating system.

  2. 2.

    Open the command line or terminal application.

  3. 3.

    Run the following command to enable MFA for the IAM user:

aws iam enable-mfa-device --user-name <IAM_USERNAME> --serial-number <MFA_DEVICE_SERIAL_NUMBER> --authentication-code1 <FIRST_AUTHENTICATION_CODE> --authentication-code2 <SECOND_AUTHENTICATION_CODE>
  • Replace
    <IAM_USERNAME>
    with the username of the IAM user.
  • Replace
    <MFA_DEVICE_SERIAL_NUMBER>
    with the serial number of the MFA device associated with the user.
  • Replace
    <FIRST_AUTHENTICATION_CODE>
    and
    <SECOND_AUTHENTICATION_CODE>
    with the current MFA authentication codes from the user's device.
  1. 1.

    Verify that the command executed successfully and returned the expected output.

  2. 2.

    Test the MFA functionality by signing in as the IAM user and providing the MFA code when prompted.

  3. 3.

    Repeat these steps for each IAM user that requires MFA enablement.

Conclusion:

Enabling MFA for IAM users with console access ensures an additional layer of security, aligning with the NIST 800-53 Revision 5 requirements. By following the troubleshooting steps and the provided guide for remediation, you can comply with this rule and enhance the overall security posture of your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now