Rule: IAM Root User Hardware MFA Enabled
This rule states that IAM root user hardware MFA should be enabled.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
IAM Root User Hardware MFA Policy
Description
The IAM (Identity and Access Management) root user is the most powerful user in an AWS account, having complete control over all resources. To ensure the highest level of security and prevent unauthorized access to the root user account, it is essential to enable hardware Multi-Factor Authentication (MFA). This policy focuses on enabling hardware MFA specifically for the CISA Cyber Essentials framework.
Troubleshooting Steps
If you encounter any issues while enabling hardware MFA for IAM root user, follow these troubleshooting steps:
- 1.Ensure you have administrative access to the AWS account.
- 2.Verify that the hardware MFA device is compatible with AWS. Refer to the AWS documentation for a list of supported MFA devices.
- 3.Check if the hardware MFA device is properly synced with the IAM root user account.
- 4.Make sure you are following the correct steps for enabling hardware MFA in the AWS Management Console or through the AWS CLI.
- 5.If using the AWS CLI, check your IAM user's permissions and ensure the necessary IAM policies allow the user to enable MFA.
- 6.Restart the MFA setup process, ensuring you follow each step accurately.
- 7.If the issue persists, contact AWS support for further assistance.
Necessary Code
There is no specific code required for this policy. The hardware MFA configuration will be done through the AWS Management Console or AWS CLI.
Step-by-Step Guide for Remediation
To enable hardware MFA for the IAM root user in the AWS Management Console, follow these steps:
- 1.Sign in to the AWS Management Console using the root user credentials.
- 2.Open the IAM console.
- 3.From the left-hand menu, click on "Dashboard."
- 4.Under "Account Settings," locate the "Hardware MFA" section.
- 5.Click on "Activate MFA" next to the root user.
- 6.Select the "MFA Security Device" radio button.
- 7.Choose the MFA device category (e.g., key fob, hardware token).
- 8.Follow the instructions specific to the chosen MFA device for activation and synchronization.
- 9.Once the device is activated and synchronized successfully, confirm the MFA setup.
- 10.Save the MFA configuration, and close the console.
To enable hardware MFA for the IAM root user using the AWS CLI, follow these steps:
- 1.Open the AWS CLI or your preferred terminal.
- 2.Run the following command to enable hardware MFA for the root user:
aws iam enable-mfa-device --user-name root --authentication-code-1 <code1> --authentication-code-2 <code2>
Replace
<code1><code2>- 1.If successful, the command will return the updated configuration details for the root user with MFA enabled.
Conclusion
Enabling hardware MFA for the IAM root user is crucial for securing your AWS account, especially when aligning with the CISA Cyber Essentials framework. By following the step-by-step guide and troubleshooting steps, you can ensure the proper implementation of this policy and enhance the overall security posture of your AWS infrastructure.