Rule: IAM Users Should Have MFA Enabled for Console Access
This rule states that IAM users with console access must have Multi-Factor Authentication (MFA) enabled.
| Rule | IAM users with console access should have MFA enabled |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
Rule Description
According to the NIST 800-53 Revision 4 security guidelines, it is recommended to enable Multi-Factor Authentication (MFA) for IAM (Identity and Access Management) users with console access. This rule aims to enhance the security of user accounts by requiring an additional authentication factor, in addition to the username and password, to access the AWS Management Console.
Enabling MFA adds an extra layer of security, as it requires users to possess a physical device (such as a smartphone or hardware token) that generates temporary codes. These codes are then used along with the user's regular login credentials to authenticate their identity when accessing the AWS Management Console.
Troubleshooting Steps
If users with console access do not have MFA enabled, you can follow the troubleshooting steps below to resolve the issue.
- 1.
Identify the IAM user(s) without MFA enabled:
- Log in to the AWS Management Console with an account that has administrative privileges.
- Open the IAM service.
- Click on "Users" in the navigation pane to view the list of IAM users.
- Review the users and identify those without MFA enabled.
- 2.
Verify MFA devices for each user:
- Select the user without MFA enabled from the list.
- In the "Security credentials" tab, check if there is an associated MFA device.
- If no MFA device is present, it means MFA is not enabled for the user.
- 3.
Enable MFA for the user:
- In the user's "Security credentials" tab, click on "Manage" next to Multi-Factor Authentication.
- Follow the instructions and guidance provided by the AWS Management Console to associate an MFA device with the user.
- This process typically involves scanning a QR code using a compatible MFA app or entering the device's serial number.
- 4.
Test MFA functionality:
- Once the MFA device is successfully associated, log out of the AWS Management Console.
- Log back in using the IAM user's credentials.
- During login, the system will prompt for the MFA code from the user's device.
- Enter the generated MFA code to complete the login process.
- 5.
Repeat the process for other users without MFA enabled:
- Identify and repeat the same steps outlined above for each user without MFA enabled.
Code Examples
There are no specific codes required to enable MFA for IAM users with console access. The procedure primarily involves using the AWS Management Console to configure and associate MFA devices for individual IAM users.
Remediation Steps
To remediate the non-compliant IAM users without MFA enabled, follow the step-by-step guide below:
- 1.
Log in to the AWS Management Console with an account that has administrative privileges.
- 2.
Open the IAM service.
- 3.
Click on "Users" in the navigation pane to view the list of IAM users.
- 4.
Select an IAM user without MFA enabled.
- 5.
In the user's "Security credentials" tab, click on "Manage" next to Multi-Factor Authentication.
- 6.
Follow the instructions provided by the AWS Management Console to associate an MFA device with the user.
- 7.
If using a compatible MFA app, scan the QR code displayed on the screen.
- 8.
If using a hardware token, enter the device's serial number.
- 9.
Test the MFA functionality by logging out of the AWS Management Console.
- 10.
Log back in using the IAM user's credentials.
- 11.
Enter the generated MFA code from the associated device when prompted.
- 12.
Repeat steps 4-11 for other users without MFA enabled.
By ensuring MFA is enabled for IAM users with console access, you comply with the recommended security guidelines from NIST 800-53 Revision 4.