IAM Root User MFA Enabled Rule
This rule ensures enabling MFA for IAM root user for enhanced security measures.
| Rule | IAM root user MFA should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Description:
According to the NIST 800-53 Revision 5 security standard, it is recommended that the root user in the AWS Identity and Access Management (IAM) should have Multi-Factor Authentication (MFA) enabled. MFA adds an extra layer of security to the root user's login process by requiring the use of a secondary authentication method, such as a hardware token or a mobile app, in addition to the regular password.
Enabling MFA for the root user ensures that even if someone gains unauthorized access to the root user's password, they will not be able to log in without the additional factor of authentication.
Troubleshooting:
If you encounter any issues while enabling MFA for the root user, you can follow these troubleshooting steps:
- 1.Ensure you are logged in as the AWS root user or an IAM user with sufficient privileges to manage user settings.
- 2.Verify that the MFA device is compatible with AWS IAM. AWS supports various methods of MFA, including hardware tokens, virtual MFA devices, and SMS text messages.
- 3.Check if the MFA device is properly synchronized with the authentication service.
- 4.Verify that you have entered the correct MFA serial number or ARN (Amazon Resource Name) associated with the MFA device.
- 5.Ensure that the correct authentication code is entered when prompted by the MFA device or app.
- 6.If using a virtual MFA device or a mobile app, ensure that the time on the device is accurate. Time-based MFA relies on accurate time synchronization.
If the issue persists, consult the AWS documentation or reach out to AWS Support for further assistance.
Necessary Code:
No specific code is required for this rule.
Remediation:
To enable MFA for the root user in AWS IAM, follow these steps:
- 1.Log in to the AWS Management Console using the root user's credentials.
- 2.Go to the IAM service by searching for "IAM" in the AWS Management Console search bar.
- 3.In the IAM console, click on "Users" in the sidebar.
- 4.Locate and click on the root user in the list of users.
- 5.In the root user's details page, click on the "Security credentials" tab.
- 6.Under "Sign-in credentials," click on the "Manage" button beside "Assigned MFA Device."
- 7.In the "Activate MFA" wizard, choose the desired MFA device type: virtual device, hardware device, or SMS text message.
- For virtual devices: Install a compatible MFA app on your mobile device, scan the QR code or enter the secret key provided to set up the MFA device.
- For hardware devices: Follow the device-specific instructions to set up the MFA device.
- For SMS text message: Enter a phone number to receive MFA codes via text messages.
- 8.Complete the MFA device setup according to the chosen method.
- 9.Once the MFA device is set up, click on the "Assign MFA" button.
- 10.You will be prompted to enter an authentication code from the MFA device. Enter the code and click on "Assign MFA."
- 11.MFA is now enabled for the root user. It is recommended to also create and use IAM users with appropriate roles rather than relying heavily on the root user.
Note:
Enabling MFA for the root user enhances security for the AWS account and aligns with the NIST 800-53 Revision 5 guidelines. It is crucial to carefully manage the root user's credentials and ensure the MFA device is secured and accessible only to authorized individuals.