IAM Root User Hardware MFA Enabled Rule
This rule specifies the requirement for enabling hardware MFA for IAM root user.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Critical |
Rule Description:
The rule requires the IAM root user hardware Multi-Factor Authentication (MFA) to be enabled for compliance with GxP 21 CFR Part 11 regulations. This regulation mandates strict security measures, particularly in the access and authentication controls for electronic records and signatures within the regulated industries.
Enabling hardware MFA for the IAM root user ensures an additional layer of security, mitigating the risk of unauthorized access or tampering with critical systems and data.
Troubleshooting Steps:
If you encounter any issues in enabling hardware MFA for the IAM root user, follow these troubleshooting steps:
- 1.
Check IAM Permissions: Ensure that you have the necessary permissions to modify IAM settings, specifically the "iam:EnableMFADevice" permission.
- 2.
Verify MFA Device Compatibility: Ensure the hardware MFA device you intend to use is compatible with AWS. Check the AWS documentation for a list of supported devices.
- 3.
Check Device Activation: Ensure the hardware MFA device is properly activated and synchronized. Follow the device manufacturer's instructions for activation and setup.
- 4.
Verify IAM User Access: Confirm that you are authenticated as the root user or have sufficient privileges to enable MFA for the root user.
- 5.
Test MFA Configuration: Perform a test login using the hardware MFA device to verify successful authentication before enabling it for the IAM root user.
Necessary Code:
No specific code is required for this rule as it involves configuring the IAM root user settings and enabling hardware MFA.
Step-by-Step Guide for Remediation:
Follow these steps to enable hardware MFA for the IAM root user:
- 1.
Sign in to the AWS Management Console using the IAM root user credentials.
- 2.
Open the AWS Identity and Access Management (IAM) console.
- 3.
In the navigation menu on the left, choose "Users".
- 4.
Select the root user from the list of users.
- 5.
In the "Security credentials" tab, locate the "Assigned MFA device" section and click on "Manage".
- 6.
On the "Manage MFA device" page, select "Virtual MFA device" or "U2F security key".
If selecting "Virtual MFA device", follow the on-screen instructions and use a compatible virtual MFA app to scan the QR code or enter the secret key.
If selecting "U2F security key", follow the on-screen instructions and insert the U2F key into a USB port.
- 7.
Once the MFA device is successfully configured, click on "Assign MFA" to enable it for the IAM root user.
- 8.
A dialog box will appear, warning you about the implications of enabling MFA for the root user. Review the information and click on "Continue".
- 9.
Test the MFA configuration by signing out of the AWS Management Console and signing back in using the IAM root user credentials along with the MFA device.
- 10.
Once verified, confirm that hardware MFA is now enabled for the IAM root user.
Conclusion:
Enabling hardware MFA for the IAM root user ensures compliance with GxP 21 CFR Part 11 regulations. By following the provided troubleshooting steps and step-by-step guide, you can successfully enable hardware MFA and enhance the security of your AWS account.