Rule: IAM Users with Console Access Should Have MFA Enabled
This rule ensures that IAM users with console access have multi-factor authentication enabled for enhanced security measures.
| Rule | IAM users with console access should have MFA enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description:
IAM users with console access should have Multi-Factor Authentication (MFA) enabled to comply with the GxP 21 CFR Part 11 regulation. MFA adds an extra layer of security to user accounts, ensuring that only authorized individuals can access critical systems and sensitive data.
Troubleshooting Steps:
If an IAM user does not have MFA enabled, follow these steps to troubleshoot the issue:
- 1.
Confirm the IAM user's access level: Ensure that the user has console access and is assigned the necessary permissions to enable MFA. Check the user's IAM policy and role assignments.
- 2.
Check if the MFA device is associated: Verify if an MFA device is associated with the IAM user. If not, prompt the user to set up MFA by following the remediation steps mentioned below.
- 3.
Verify MFA device compatibility: Confirm that the MFA device associated with the IAM user is compatible with AWS services and can successfully generate the required MFA codes.
- 4.
Ensure MFA device is functioning correctly: Validate that the MFA device is properly configured, working, and synchronized with the IAM user's account. Test the device by generating an MFA code and verifying its accuracy.
- 5.
Verify MFA settings in AWS: Double-check the MFA settings in AWS to ensure that they are correctly configured and associated with the IAM user.
- 6.
Confirm user access validity: Assess the IAM user's recent activity to ensure it aligns with expectations. Identify any suspicious access attempts or unauthorized activities.
Necessary Code:
If you need to enforce the MFA requirement for IAM users, you can use the AWS Command Line Interface (CLI) with the following code:
aws iam put-user-policy --user-name <IAM_user_name> --policy-name EnableMFA \ --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:*MFA*","Resource":"*"}]}'
This code adds a "Deny" statement to the IAM user's policy, preventing them from performing any "MFA" actions. This effectively enforces the MFA requirement.
Step-by-Step Guide for Remediation:
To remediate the IAM user without MFA issue, follow these steps:
- 1.
Log in to the AWS Management Console with the necessary administrator privileges.
- 2.
Navigate to the IAM service.
- 3.
Search for the IAM user without MFA enabled using the "Users" tab.
- 4.
Select the specific user that needs MFA enabled.
- 5.
Choose the "Security credentials" tab.
- 6.
Click on "Manage" next to "Assigned MFA device".
- 7.
Add an MFA device by selecting either "Virtual MFA device" or "U2F security key", depending on the user's preference and availability.
- 8.
Follow the device-specific setup instructions provided by AWS to associate the MFA device with the IAM user.
- 9.
Once the MFA device is successfully associated, click on "Activate MFA" for the IAM user.
- 10.
Choose "Create a new virtual MFA device" or "Activate a U2F security key" and follow the prompts accordingly.
- 11.
Verify the MFA device by entering the code displayed on the device and click "Assign MFA".
- 12.
Finally, test the MFA setup by logging out and logging back into the IAM user's account. It should prompt for the MFA code during the login process.
By following these steps, you can ensure that IAM users with console access have MFA enabled in compliance with the GxP 21 CFR Part 11 regulation.