IAM Root User Hardware MFA Enabled Rule
This rule ensures that IAM root user hardware MFA is enabled for added security.
| Rule | IAM root user hardware MFA should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
This rule states that the root user in the IAM (Identity and Access Management) should have hardware MFA (Multi-Factor Authentication) enabled in order to comply with the security requirements outlined in the NIST (National Institute of Standards and Technology) 800-53 Revision 5.
Enabling hardware MFA for the root user adds an additional layer of security by requiring a physical device, such as a hardware token or smart card, in addition to the regular password when logging in as the root user. This helps prevent unauthorized access and strengthens the overall security posture of the AWS (Amazon Web Services) account.
Troubleshooting Steps
In case of any issues related to enabling hardware MFA for the IAM root user, you can follow these troubleshooting steps:
- 1.Ensure that you are logged in as the root user or have the necessary permissions to manage IAM users and MFA settings.
- 2.Verify that you have a compatible hardware MFA device or token.
- 3.Double-check that the MFA device is activated and synchronized correctly.
- 4.Confirm that you have entered the correct serial number or scan the barcode if available.
- 5.Ensure that the MFA device is within range and functioning properly.
If the issue persists, you may need to contact AWS Support for further assistance.
Necessary Code
There is no specific code required for this rule. The enablement of hardware MFA for the IAM root user is done through the AWS Management Console or AWS CLI (Command Line Interface).
Step-by-Step Guide for Remediation
To enable hardware MFA for the IAM root user, follow these step-by-step instructions:
- 1.Access the AWS Management Console using your root user credentials.
- 2.Navigate to the IAM service.
- 3.In the navigation pane on the left, click on "Users".
- 4.Select the "Security credentials" tab.
- 5.Locate the root user and click on the "Manage" button next to "Assigned MFA device".
- 6.In the new window, select "Virtual MFA device" and click on the "Next Step" button.
- 7.Follow the instructions to set up the MFA device. This may involve either scanning the barcode or entering the serial number manually.
- 8.Verify the MFA device by following the on-screen instructions.
- 9.Once the MFA device is successfully verified, click on the "Assign MFA device" button to complete the process.
After completing these steps, hardware MFA will be enabled for the IAM root user, ensuring compliance with the NIST 800-53 Revision 5 requirement.
Remember to securely store the MFA device and keep it in a safe location to prevent unauthorized access.