Ensure MFA is Enabled for the Root User Account Rule
This rule focuses on enforcing multi-factor authentication for the root user account.
| Rule | Ensure MFA is enabled for the "root user" account |
| Framework | cis_v130 |
| Severity | ✔ High |
Ensure MFA is Enabled for the "Root User" Account for CIS_v1.3.0 Compliance
The Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 requires Multi-Factor Authentication (MFA) to be enabled for the AWS root user account. MFA adds an extra layer of security on top of the username and password, making it more difficult for unauthorized users to access your AWS resources.
What is MFA and Why It's Important for the Root User?
MFA requires users to provide two or more verification factors to gain access to AWS resources, which significantly reduces the chance of unauthorized access. The root user possesses unrestricted access to all resources in an AWS account; hence, securing it is critical.
How to Check if MFA is Enabled for Root User
- 1.Sign in to the AWS Management Console with the root user credentials.
- 2.Navigate to the "My Security Credentials" section under the account name in the navigation bar.
- 3.In the "Multi-Factor Authentication (MFA)" section, you can see if MFA is enabled or not.
Enable MFA for Root User - Step by Step Guide
If MFA is not enabled, follow these steps to secure your root account:
- 1.
Access Root User Security Credentials:
- Sign into the AWS Management Console as the root user.
- Click on your account name on the navigation bar.
- Choose "My Security Credentials" from the dropdown menu.
- 2.
Navigate to MFA Settings:
- Expand the "Multi-Factor Authentication (MFA)" option.
- 3.
Activate MFA:
- Click on "Activate MFA".
- Choose the type of MFA device you want to use (Virtual or Hardware).
- Follow the instructions to set up the MFA device.
For a virtual MFA device, you might need:
- Download an MFA app on your smartphone or tablet (e.g., Google Authenticator, Authy).
- Scan the QR code provided by AWS or enter the provided key into the MFA app.
- Enter two successive MFA codes from your device to complete the setup.
- 4.
Verify MFA is Enabled:
- After setup, check the "Multi-Factor Authentication (MFA)" section again to confirm that MFA is now enabled.
AWS CLI Command for Checking Root User MFA
While MFA for the root user typically requires the web console, you can use the AWS Command Line Interface (CLI) to list the MFA devices, which indirectly helps in determining if MFA is enabled.
aws iam list-mfa-devices --user-name <root-user-name>
In the output, if an MFA device is listed, it indicates that MFA has been enabled for the specified root user.
Remediation if MFA is Not Enabled
If MFA is not enabled, follow the step-by-step guide provided above to activate MFA on your root account. It is crucial to enforce this practice to adhere to the CIS AWS Foundations Benchmark and ensure the security of your AWS environment.
By ensuring the root user account has MFA enabled, you not only comply with CIS standards but also improve the overall security posture of your AWS account. Implementing this best practice is an essential step in safeguarding against potential security breaches.