Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Users with Console Access Should Have MFA Enabled

This rule states that IAM users with console access must have multi-factor authentication (MFA) enabled for added security.

RuleIAM users with console access should have MFA enabled
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description

This rule enforces the requirement that IAM users with console access must have Multi-Factor Authentication (MFA) enabled. This is in compliance with the NIST 800-171 Revision 2 security standards. MFA adds an extra layer of security to the authentication process by requiring users to provide two or more different types of authentication factors, such as a password and a one-time generated code from a physical or virtual device.

Troubleshooting Steps

  1. 1.
    Validate the IAM User's MFA status: Check if the IAM user has MFA enabled.
  2. 2.
    Verify console access permissions: Ensure that the IAM user has permissions to access the AWS Management Console.
  3. 3.
    Confirm MFA policy requirements: Make sure the MFA policy aligns with NIST 800-171 Revision 2 guidelines.
  4. 4.
    Check for any conflicting policies: Confirm that there are no other policies overriding the MFA requirement.

Necessary Codes

There are no specific codes associated with this rule. However, you can use the AWS Command Line Interface (CLI) to retrieve information about IAM users and their MFA status. The following command can be used to list the IAM users with MFA enabled:

aws iam list-users \
--query 'Users[?MfaDevices != `null`].UserName'

Step-by-Step Guide for Remediation

To ensure IAM users with console access have MFA enabled, follow these steps:

  1. 1.

    Access the AWS Management Console using an IAM user with administrative privileges.

  2. 2.

    Open the IAM service by searching for "IAM" in the AWS services search bar and selecting it.

  3. 3.

    In the navigation pane on the left, click on "Users" to view the list of IAM users.

  4. 4.

    Identify the IAM users without MFA enabled by checking the "MFA Device" column.

  5. 5.

    Select an IAM user without MFA enabled and click on the "Security credentials" tab.

  6. 6.

    In the "Assigned MFA device" section, click on the "Manage" link.

  7. 7.

    When prompted, choose the appropriate MFA device type (hardware or virtual).

  8. 8.

    Follow the on-screen instructions to set up the MFA device for the selected IAM user.

  9. 9.

    Repeat steps 5-8 for each IAM user without MFA enabled.

  10. 10.

    After setting up MFA for each user, verify MFA status by running the following command in the AWS CLI:

aws iam list-users \
--query 'Users[?MfaDevices != `null`].UserName'

Ensure that all IAM users with console access now have MFA enabled.

Conclusion

Enforcing MFA for IAM users with console access enhances the security posture of your AWS environment, aligning it with NIST 800-171 Revision 2 standards. By following the step-by-step guide outlined above, you can ensure that all IAM users have MFA enabled and comply with security best practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now