Profile Applicability: Level 1


Description:

Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS console, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.


Rationale:

Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.


Impact:

Protect your environment by using MFA, a security feature available at no extra cost that augments user name and password credentials. MFA requires users to prove physical possession of a hardware MFA token or MFA-enabled mobile device by providing a valid MFA code.


Default Value:

By default, AWS will not enable MFA for any user, as per your security concern you can enable it anytime. To do follow the steps below.


Pre-Requisites:

  • There should be a user available with MFA not enabled.

  • Make sure the MFA hardware device is available or Authenticator app installed


Remediation:

Test Plan:


Using AWS Console:

Perform the following to determine if an MFA is enabled for all IAM users having a console password:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM service https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane 

  4. If the MFA column is not visible in the table, click the gear icon at the upper right corner of the table and ensure MFA checkBox is selected

  5. From the MFA column of the each user check whether MFA is enabled or not

    If you notice None is mentioned in the MFA column it means MFA is not assigned to the particular user.



Using AWS CLI:

 Download the credential report

aws iam get-credential-report
Check the mfa_active column, if you found the status as false it means MFA is not enabled for that user


Implementation Steps:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM service https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on the user for whom you want to enable MFA and go to the Security Credentials tab 

  5. Click  Assign MFA device in Multi-Factor Authentication section.

  6. Then you will get options available like Authenticator App, Security Key,  Hardware TOTP Token. Select any one of the options you want and click next.

    Note: Here choosing a Virtual MFA device, you can choose any of the options available.

  7. Based on the option you selected, it will take you through setting up MFA.


Using AWS CLI:

aws iam enable-mfa-device
--user-name
--serial-number
--authentication-code-1
--authentication-code-2


Backout Plan:

If you want to remove MFA for the user follow the same steps in the Implementation section and in the MFA section select the device type and click Remove.

References:


CIS Controls: 

4.5 Use Multifactor Authentication For All Administrative Access 

  • Use multi-factor authentication and encrypted channels for all administrative account access.