IAM Users With Console Access Should Have MFA Enabled Rule
This rule states that IAM users with console access must enable Multi-Factor Authentication (MFA) for security purposes.
| Rule | IAM users with console access should have MFA enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
IAM Users with Console Access Should Have MFA Enabled for FedRAMP Low Revision 4
Overview
The Federal Risk and Authorization Management Program (FedRAMP) Low Impact Level requires that agencies implement basic security controls to protect federal information. One such control is the enforcement of Multi-Factor Authentication (MFA) for IAM users with AWS Management Console access. MFA adds an additional layer of security on top of usernames and passwords, which helps in reducing the risk of unauthorized account access.
Requirements
For FedRAMP Low Rev. 4 compliance, all AWS Identity and Access Management (IAM) users with console access should enable MFA. It is critical not only to enable it but also to ensure that it remains enforced.
Troubleshooting Steps
If an IAM user does not have MFA enabled, follow these troubleshooting steps:
- 1.
Verify MFA Status: Check the MFA status of IAM user accounts to confirm whether MFA is enabled or not.
- 2.
Educate Users: Inform users about the importance of MFA and provide them with instructions on how to set it up.
- 3.
Audit Regularly: Periodically confirm compliance with MFA policies to ensure that no IAM user falls out of compliance.
Necessary AWS CLI Commands
- 1.
List IAM users:
aws iam list-users - 2.
Get specific user MFA details:
aws iam list-mfa-devices --user-name <username> - 3.
List users without MFA (using AWS CLI and JQ):
aws iam list-users | jq '.Users[] | select(.UserName) | .UserName' | while read user; do aws iam list-mfa-devices --user-name $user | jq '.MFADevices | length == 0' | grep true && echo $user; done
Step by Step Guide for Remediation
- 1.
Log in to the AWS Management Console as an admin.
- 2.
Go to the IAM Dashboard: Access the IAM (Identity and Access Management) section in the AWS console.
- 3.
Users List: Navigate to the "Users" tab to see a list of IAM users.
- 4.
Identify Users Without MFA: Look for users without "Assigned MFA device" in the list or use the CLI commands provided above.
- 5.
Educate and Enforce MFA: Inform the users without MFA about the need to enable it and guide them through the process.
User MFA Setup Instructions
a. Go to the IAM user's "Security credentials" tab. b. Under the "Assigned MFA device", click on the "Manage" button. c. Choose the MFA device and follow the instructions to set it up.
- 6.
Regular Compliance Checks: Use the CLI commands regularly to ensure all users remain compliant.
- 7.
Set up a Policy for Enforced MFA: To enforce MFA, you can create an IAM policy that allows access only when MFA is used.
Example IAM policy to enforce MFA:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "RequireMFA", "Effect": "Deny", "NotAction": "iam:CreateVirtualMFADevice", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }] }Assign this policy to all IAM users or groups.
Compliance with FedRAMP Low Rev. 4 through enabling MFA for IAM users minimizes the risk of unauthorized access and ensures your AWS account meets federally mandated security standards. Regular audits and policy enforcement are key to maintaining this aspect of your security posture.