Rule: IAM Root User Hardware MFA Should Be Enabled
This rule specifies that IAM root user hardware MFA must be enabled for enhanced security measures.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description:
For compliance with NIST 800-53 Revision 5, it is required to enable hardware Multi-Factor Authentication (MFA) for the root user in the AWS Identity and Access Management (IAM) service. This provides an additional layer of security by requiring the use of a physical device, such as a hardware token or security key, in addition to the root user's password.
Enabling hardware MFA for the root user ensures that only authorized individuals can access and manage critical AWS resources. By following this rule, you enhance the security posture of your AWS environment and comply with the NIST 800-53 Revision 5 security standard.
Troubleshooting Steps:
If you encounter any issues while enabling hardware MFA for the root user, follow these troubleshooting steps:
- 1.Ensure that you are logged in as the root user or have administrative privileges.
- 2.Verify that you have a supported hardware MFA device, such as a hardware token or security key.
- 3.Double-check if the MFA device is activated and properly synced.
- 4.Verify that the hardware MFA device is compatible with the IAM service in the AWS region you are operating in.
- 5.Ensure that you have followed the correct steps to associate the hardware MFA device with the root user in the IAM console or via API/CLI commands.
- 6.If you encounter any error messages, refer to the AWS IAM documentation or seek assistance from AWS support.
Necessary Code:
There is no specific code required for this rule, but the following AWS CLI commands can be used for enabling hardware MFA for the root user:
- 1.To enable MFA for the IAM root user:
aws iam enable-mfa-device --user-name <root-user-name> --authentication-code1 <mfa-authentication-code1> --authentication-code2 <mfa-authentication-code2>
Replace
<root-user-name><mfa-authentication-code1><mfa-authentication-code2>Remediation Steps:
Follow these steps to enable hardware MFA for the IAM root user:
- 1.Log in to the AWS Management Console using the root user credentials.
- 2.Open the IAM console.
- 3.In the navigation pane, select "Users".
- 4.Search for and select the root user.
- 5.Click on the "Security credentials" tab.
- 6.Under the "Multi-factor authentication (MFA)" section, click on "Manage".
- 7.Click on "Assign MFA device".
- 8.Choose "A hardware MFA device" and click "Continue".
- 9.Select the appropriate device type (e.g., U2F security key, virtual MFA device).
- 10.Follow the on-screen instructions to associate the hardware MFA device with the root user.
- 11.Enter the authentication codes generated by the MFA device as prompted.
- 12.Click "Assign MFA" to complete the process.
Once hardware MFA is successfully enabled for the root user, it is recommended to securely store the MFA device and regularly review and update security credentials to ensure the highest level of security for your AWS resources.
Note: The above steps can also be performed using AWS CLI commands, as mentioned in the necessary code section above.
By following the provided troubleshooting steps, necessary code, and remediation steps, you can ensure hardware MFA is enabled for the root user, aligning with the requirements of NIST 800-53 Revision 5 and improving the security of your AWS environment.