Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Hardware MFA should be enabled for the root user

This rule ensures that hardware MFA is enabled for the root user to enhance security measures.

RuleHardware MFA should be enabled for the root user
FrameworkPCI v3.2.1
Severity
Critical

Rule Description

Hardware Multi-Factor Authentication (MFA) is a security measure that adds an additional layer of protection to accounts by requiring the use of a physical hardware device, such as a smart card or USB token, in conjunction with a username and password. Enabling Hardware MFA for the root user is a crucial security control, especially in the context of the Payment Card Industry Data Security Standard (PCI DSS) version 3. PCI DSS is a set of security requirements for organizations that handle credit card transactions to ensure the protection of cardholder data.

Troubleshooting Steps

If you encounter any issues while enabling or configuring Hardware MFA for the root user, you can follow these troubleshooting steps:

  1. 1.
    Hardware Compatibility: Ensure that the hardware device you are using is compatible with the system and meets the necessary requirements.
  2. 2.
    Driver Installation: Check if the required drivers for the hardware device are properly installed on the system.
  3. 3.
    Configuration: Verify that the configuration settings for the hardware device are correctly set up and match the recommended settings.
  4. 4.
    Testing: Perform a test authentication using the hardware device to ensure it is functioning correctly.
  5. 5.
    Support: If the issue persists, reach out to the hardware device manufacturer's support for further assistance.

Code Example

In AWS, enabling Hardware MFA for the root user can be achieved by following these steps:

  1. 1.
    Create or Obtain a Hardware MFA Device: Purchase or obtain a compatible Hardware MFA device that supports AWS MFA (e.g., YubiKey, RSA SecurID).
  2. 2.
    Sign In to the AWS Management Console: Log in to the AWS Management Console using the root user credentials.
  3. 3.
    Navigate to the IAM Service: In the AWS Management Console, search for "IAM" in the services search bar and click on "IAM" to access the Identity and Access Management service.
  4. 4.
    Access the Root User Settings: In the IAM dashboard, click on "Users" in the left-hand menu. Then, select the root user from the list of users.
  5. 5.
    Enable MFA: Within the root user details page, go to the "Security credentials" tab. Under "Multi-factor authentication (MFA)", click on "Manage".
  6. 6.
    Associate MFA Device: In the MFA device setup wizard, select "A hardware MFA device" and click on "Continue".
  7. 7.
    Scan or Enter Serial Number: Follow the instructions provided by your specific hardware MFA device to either scan a QR code or enter the serial number associated with the device. Click on "Assign MFA device" once completed.
  8. 8.
    Complete Device Setup: On the next screen, follow the instructions provided by your MFA device to complete the setup process.
  9. 9.
    Verify MFA: After completing the device setup, you will be prompted to verify the MFA device. Enter the provided code from your MFA device and click "Assign MFA".
  10. 10.
    Enable MFA: Once the MFA verification is successful, click on "Activate MFA" to enable Hardware MFA for the root user.

Remediation Steps

If Hardware MFA is not enabled for the root user, follow these steps to remediate the configuration:

  1. 1.
    Obtain a Hardware MFA Device: Purchase or obtain a compatible Hardware MFA device that supports AWS MFA (e.g., YubiKey, RSA SecurID).
  2. 2.
    Sign In to the AWS Management Console: Log in to the AWS Management Console using the root user credentials.
  3. 3.
    Navigate to the IAM Service: In the AWS Management Console, search for "IAM" in the services search bar and click on "IAM" to access the Identity and Access Management service.
  4. 4.
    Access the Root User Settings: In the IAM dashboard, click on "Users" in the left-hand menu. Then, select the root user from the list of users.
  5. 5.
    Enable MFA: Within the root user details page, go to the "Security credentials" tab. Under "Multi-factor authentication (MFA)", click on "Manage".
  6. 6.
    Associate MFA Device: In the MFA device setup wizard, select "A hardware MFA device" and click on "Continue".
  7. 7.
    Scan or Enter Serial Number: Follow the instructions provided by your specific hardware MFA device to either scan a QR code or enter the serial number associated with the device. Click on "Assign MFA device" once completed.
  8. 8.
    Complete Device Setup: On the next screen, follow the instructions provided by your MFA device to complete the setup process.
  9. 9.
    Verify MFA: After completing the device setup, you will be prompted to verify the MFA device. Enter the provided code from your MFA device and click "Assign MFA".
  10. 10.
    Enable MFA: Once the MFA verification is successful, click on "Activate MFA" to enable Hardware MFA for the root user.

By following these steps, you will successfully enable Hardware MFA for the root user in compliance with PCI DSS version 3 requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now