Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Users with Console Access Should Have MFA Enabled

This rule ensures all IAM users with console access have multi-factor authentication enabled for enhanced security.

RuleIAM users with console access should have MFA enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description

IAM users with console access should have Multi-Factor Authentication (MFA) enabled. This rule is in accordance with the NIST (National Institute of Standards and Technology) Special Publication 800-53 Revision 5 security standard. Enforcing MFA adds an additional layer of security to protect the user's credentials and prevent unauthorized access.

Troubleshooting Steps

If an IAM user does not have MFA enabled, follow these troubleshooting steps:

  2. 1.

    Check the IAM user's MFA status:

    • Go to the IAM Management Console.
    • Navigate to "Users" in the sidebar.
    • Search and select the user requiring troubleshooting.
    • In the "Security credentials" tab, verify if MFA is enabled or disabled for the user.
  4. 2.

    Enable MFA for the IAM user:

    • In the "Security credentials" tab for the user, click on "Manage" next to "Assigned MFA device".
    • Follow the instructions to set up MFA. This usually involves choosing a virtual or hardware device to link with the user's account.
  6. 3.

    Test MFA configuration:

    • After enabling MFA, log out of the IAM user's console session, if any.
    • Attempt to log in using the user's credentials.
    • As part of the MFA setup, you will need to provide a temporary authentication code from the registered MFA device.
  8. 4.

    If the MFA setup fails, double-check the device association:

    • Go to the "Security credentials" tab for the user.
    • Click on "Manage" next to "Assigned MFA device".
    • Confirm that the currently assigned device is correctly linked and functioning.

Code

There is no specific code provided as this rule requires manual configuration in the AWS Management Console.

Remediation Steps

To enable MFA for an IAM user, follow these step-by-step guides:

  2. 1.

    Open the AWS Management Console and sign in as an IAM user with administrative privileges.

  4. 2.

    Navigate to the IAM service.

  6. 3.

    In the sidebar, click on "Users".

  8. 4.

    Search and select the IAM user for whom you want to enable MFA.

  10. 5.

    In the "Security credentials" tab, locate the "Assigned MFA device" section and click on "Manage".

  12. 6.

    Select the appropriate MFA option:

    • Virtual MFA device: Choose this option if you want to use a virtual MFA device, such as an authenticator app on a mobile device.
    • U2F security key: Choose this option if you want to use a physical U2F security key.
  14. 7.

    Follow the on-screen instructions to set up the chosen MFA option. This may involve scanning a QR code, entering a serial number, or physical device configuration.

  16. 8.

    After completing the MFA setup, test the configuration:

    • Log out of the IAM user's console session, if any.
    • Attempt to log in again using the IAM user's credentials.
    • Provide the temporary authentication code generated by the MFA device when prompted.
  18. 9.

    Verify that MFA is working for the user by confirming successful login with the authentication code.

Following these steps will enforce MFA for the IAM user, ensuring compliance with the NIST 800-53 Revision 5 security standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now