IAM Root User Hardware MFA Enabled Rule
This rule ensures that IAM root user hardware MFA is enabled for security purposes.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Critical |
IAM Root User Hardware MFA Enablement for NIST CSF v1 Compliance
The NIST Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. Implementing hardware Multi-Factor Authentication (MFA) for IAM root users is an essential element in meeting the NIST CSF requirements.
Understanding the Requirement
Enabling hardware MFA for the IAM root user in AWS provides an additional layer of security above and beyond standard password protection. This is critical as the root user has full access to all resources in the AWS account.
To align with NIST CSF v1, MFA should be:
- Configured using a physical or hardware-based device.
- Required for every sign-in attempt by the root user.
Detailed Description of the Rule
- Policy Requirement: MFA should be enabled for the AWS account's root user.
- Implementation: Physical hardware security tokens should be used.
- Standards Alignment: The rule aligns with NIST CSF PR.AC-1: Identities and credentials are managed for authorized devices and users.
Troubleshooting Steps
If enabling MFA is unsuccessful, perform the following checks:
- 1.Ensure that the hardware MFA device is compatible with AWS.
- 2.Verify that the device is not already associated with another AWS account.
- 3.Check if the time on the hardware MFA device is synchronized correctly.
- 4.Confirm that you are entering the correct code from the hardware MFA device.
Necessary Codes
No specific code is necessary as enabling hardware MFA is a manual process through the AWS Management Console. However, the AWS CLI can be used for verification purposes:
aws iam list-mfa-devices --user-name <root_user_name>
Replace
<root_user_name>Step by Step Guide for Remediation
Enabling Hardware MFA:
- 1.Sign in to the AWS Management Console as the root user.
- 2.Navigate to the 'My Security Credentials' section beneath the account name on the console.
- 3.In the Multi-Factor Authentication (MFA) section, click on “Activate MFA".
- 4.Select “A hardware MFA device” and follow the prompts to complete the setup, which includes scanning the QR code or entering the serial number for the device and successive MFA codes.
- 5.Test the MFA device to ensure it’s working correctly by logging out and back in with the MFA device.
Verification:
After setting up MFA, you may want to verify that the hardware MFA device is indeed enabled:
- 1.Open the Terminal or Command Prompt.
- 2.Use the AWS CLI mentioned above to list the MFA devices associated with the root user.
Necessary CLI Commands
For verification purposes, you can use:
aws iam list-mfa-devices --user-name <root_user_name>
Make sure to replace
<root_user_name>