Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: IAM Root User Hardware MFA Should Be Enabled

This rule focuses on enabling hardware MFA for IAM root user.

RuleIAM root user hardware MFA should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Critical

Rule Description:

The rule requires the root user of the AWS Identity and Access Management (IAM) to enable hardware Multi-Factor Authentication (MFA) as per the NIST 800-53 Revision 5 security controls. MFA adds an extra layer of security by requiring an additional form of authentication, in this case, a hardware device, in addition to the username and password.

Troubleshooting Steps (if required):

If MFA is not enabled for the root user, the following troubleshooting steps can be taken:

  1. 1.
    Ensure that an appropriate hardware MFA device is available.
  2. 2.
    Verify that the MFA device is compatible with IAM and AWS services.
  3. 3.
    If the MFA device is not working, check the battery level and connectivity.
  4. 4.
    Ensure that the MFA device is correctly synchronized with the time-based one-time password (TOTP) algorithm.

Necessary Code (if required):

No specific code is required for this rule.

Steps for Remediation:

To enable hardware MFA for the root user and comply with NIST 800-53 Revision 5 security controls, follow the steps below:

Step 1: Prepare the Hardware MFA Device

  1. 1.
    Acquire a hardware MFA device compatible with IAM and AWS services.
  2. 2.
    Ensure that the device is in working condition and properly synchronized with the TOTP algorithm.
  3. 3.
    Make sure you have administrative access to your AWS account.

Step 2: Enable Hardware MFA for the Root User

  1. 1.
    Sign in to the AWS Management Console using root user credentials.
  2. 2.
    Open the IAM service console.
  3. 3.
    In the navigation pane, click on "Users."
  4. 4.
    Locate and select the root user from the user list.
  5. 5.
    Click on the "Security credentials" tab.
  6. 6.
    Under "Multi-Factor Authentication (MFA)", click on "Manage MFA device."
  7. 7.
    Select the "Hardware MFA device" option and click on "Continue."
  8. 8.
    Follow the on-screen instructions to associate the hardware MFA device with the root user.

Note: The specific steps for associating the hardware MFA device may vary depending on the device you are using. Please refer to the device manufacturer's documentation for detailed instructions.

Step 3: Test the Hardware MFA Configuration

  1. 1.
    Log out of the AWS Management Console.
  2. 2.
    Go to the AWS Management Console login page.
  3. 3.
    Enter the root user credentials.
  4. 4.
    When prompted, use the hardware MFA device to generate the authentication code.
  5. 5.
    Enter the authentication code into the login page.
  6. 6.
    If the authentication is successful, you have enabled hardware MFA for the root user.

Conclusion:

Enabling hardware Multi-Factor Authentication (MFA) for the root user is essential to meet the security requirements of NIST 800-53 Revision 5. By following the outlined steps, you can ensure that the root user has an additional layer of security, making it more challenging for unauthorized users to access your AWS account.

Is your System Free of Underlying Vulnerabilities?
Find Out Now