IAM Users with Console Access Should Have MFA Enabled Rule
This rule ensures that IAM users with console access have Multi-Factor Authentication (MFA) enabled for enhanced security measures.
| Rule | IAM users with console access should have MFA enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description:
IAM users with console access should have Multi-Factor Authentication (MFA) enabled for compliance with CISA Cyber Essentials requirements. This ensures an additional layer of security to protect against unauthorized access to the AWS Management Console.
Troubleshooting Steps:
If an IAM user does not have MFA enabled, follow these troubleshooting steps to ensure compliance:
- 1.
Step 1: Identify IAM Users without MFA: First, identify the IAM users who do not have MFA enabled. You can use the AWS Management Console or AWS Command Line Interface (CLI) to list all IAM users and check for MFA status.
- 2.
Step 2: Notification and Education: Notify the IAM users who do not have MFA enabled about the policy requirement and educate them on the importance of implementing MFA for their AWS Management Console login.
- 3.
Step 3: Enable MFA for IAM Users: Guide the IAM users through the process of enabling MFA for their AWS Management Console login. Provide them with step-by-step instructions and necessary codes if applicable.
- 4.
Step 4: Verification: Once the IAM users have enabled MFA, verify that it is correctly configured and working. Ensure that users are successfully prompted for an MFA code during the login process.
Remediation Steps:
Follow these steps to remediate IAM users without MFA enabled:
- 1.
Step 1: Identify IAM Users without MFA:
Using the AWS Management Console: i. Sign in to the AWS Management Console. ii. Open the IAM console. iii. Navigate to the "Users" section. iv. Review the list of IAM users and identify those without MFA enabled.
Using AWS CLI: i. Open AWS CLI or AWS CloudShell. ii. Run the following command to list all IAM users:
iii. Identify IAM users without MFA enabled based on the response.aws iam list-users
- 2.
Step 2: Notification and Education:
- For each IAM user without MFA, notify them about the policy requirement and its significance.
- Educate them on the process of enabling MFA and offer assistance if needed.
- 3.
Step 3: Enable MFA for IAM Users:
IAM user can enable MFA using the AWS Management Console or AWS CLI.
Using the AWS Management Console: i. Sign in to the AWS Management Console as the IAM user. ii. Open the IAM console. iii. Navigate to "Security Credentials" tab. iv. Click on "Manage MFA" and follow the prompts to set up MFA. v. Choose either a virtual MFA device or a hardware MFA device and follow the instructions to complete the setup.
Using AWS CLI: i. Open AWS CLI or AWS CloudShell. ii. Run the following command to enable MFA for an IAM user:
Replaceaws iam enable-mfa-device --user-name <IAM_username> --serial-number <MFA_serial_number> --authentication-code1 <MFA_code1> --authentication-code2 <MFA_code2>
with the IAM user's username,<IAM_username>
with the virtual or hardware MFA device serial number, and<MFA_serial_number>
and<MFA_code1>
with the temporary authentication codes provided during the MFA device setup process.<MFA_code2>
- 4.
Step 4: Verification:
- Ensure that the IAM user can log in to the AWS Management Console and successfully configure MFA.
- Verify that the IAM user is prompted for an MFA code during the login process.
Ensure all IAM users with console access have MFA enabled to comply with the CISA Cyber Essentials requirements. Regularly monitor and enforce MFA as a security best practice to protect the AWS environment from unauthorized access.