IAM Users with Console Access Should Have MFA Enabled
This rule ensures that IAM users with console access have multi-factor authentication (MFA) enabled for enhanced security measures.
| Rule | IAM users with console access should have MFA enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description:
According to the NIST Cybersecurity Framework (CSF) v1, it is recommended to enable Multi-Factor Authentication (MFA) for IAM users with console access. Enabling MFA adds an extra layer of security by requiring users to provide additional proof of their identity, apart from their regular username and password, when accessing AWS resources.
Troubleshooting Steps:
If an IAM user with console access does not have MFA enabled, you may encounter the following issues:
- 1.
Inability to enable MFA: If you are unable to enable MFA for an IAM user, you might have insufficient permissions. Ensure that you have the necessary IAM policies or contact your AWS account administrator to grant the required permissions.
- 2.
Invalid MFA device: If the MFA device associated with an IAM user is no longer valid or has been lost, you need to associate a new MFA device with the user. Follow the remediation steps outlined below to set up a new MFA device.
Necessary Codes:
There are no specific codes required for this rule. The configuration changes need to be done through the AWS Management Console or via CLI commands.
Remediation Steps:
Follow these step-by-step instructions to enable MFA for IAM users with console access:
- 1.
Sign in to the AWS Management Console using your root or IAM user credentials.
- 2.
Open the IAM service from the AWS Management Console.
- 3.
In the left navigation pane, click on "Users" to view the list of IAM users in your account.
- 4.
Select the IAM user for whom you want to enable MFA.
- 5.
Click on the "Security credentials" tab.
- 6.
Under the "Multi-factor authentication (MFA)" section, click on "Manage MFA device."
- 7.
Select the "Virtual MFA device" option or "U2F security key" option based on your preference and click on "Continue."
- 8.
Follow the on-screen instructions to set up the MFA device.
- 9.
Once the virtual MFA device or U2F security key is set up, you have the option to enforce MFA at the account or group level. If you want to enforce MFA for the entire account or specific IAM groups, follow the appropriate guidelines.
- 10.
To verify if MFA is working correctly, sign out of the AWS Management Console and sign back in as the IAM user with console access. You should be prompted to enter the MFA code generated by the device or key associated with your account.
CLI Command Guide:
If you prefer using the AWS Command Line Interface (CLI) to enable MFA, you can follow these steps:
- 1.
Install and configure AWS CLI on your local machine.
- 2.
Open your preferred terminal application and run the following command to enable MFA for an IAM user:
aws iam enable-mfa-device --user-name <IAM_USER_NAME> --serial-number arn:aws:iam::<ACCOUNT_ID>:mfa/<MFA_DEVICE_NAME> --authentication-code1 <CODE_FROM_SERVICE> --authentication-code2 <CODE_FROM_SERVICE>
Note: Replace
<IAM_USER_NAME><ACCOUNT_ID><MFA_DEVICE_NAME><CODE_FROM_SERVICE>- 1.Verify the successful enabling of MFA by checking the IAM user's security credentials.
aws iam list-mfa-devices --user-name <IAM_USER_NAME>
Conclusion:
Enabling MFA for IAM users with console access is an essential security measure recommended by the NIST Cybersecurity Framework. By following the above steps, you can ensure that your IAM users have an additional layer of authentication, enhancing the overall security of your AWS resources.