Profile Applicability: Level 1


Description:

Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS console, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.


Rationale:

Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.


Impact:

Protect your environment by using MFA, a security feature available at no extra cost that augments user name and password credentials. MFA requires users to prove physical possession of a hardware MFA token or MFA-enabled mobile device by providing a valid MFA code.


Default Value:

By default, AWS will not enable MFA for any user, as per your security concern you can enable it anytime. To do follow the steps below.


Audit:

Perform the following to determine if an MFA is enabled for all IAM users having a console password:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. If the MFA column is not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to MFA, then click Close.

  5. From the MFA column check whether MFA is enabled or not


Via CLI:

Step 1: Download the credential report

aws iam get-credential-report

Step 2: Check the mfa_active column, if you found status as false it means MFA is not enabled for that user


Remediation:

Pre-Requisites

  • There should be a user available with MFA not enabled.

  • Make sure MFA hardware device is available or Authenticator app installed


Implementation Steps

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on the user for whom you want to enable MFA and go to the Security Credentials tab

  5. Click on Manage in the Assigned MFA device section

  6. By clicking on Manage you will get options available like Virtual MFA deviceU2F security keyOther hardware MFA device. Select any one of the options you want and click continue.

    Note: For this documentation, we are choosing a Virtual MFA device

  7. Click on show QR code 

  8. Scan this QR code from Authenticator App downloaded in your device, you will get an MFA code by scanning

  9. Enter that code in MFA code 1 and wait for few seconds to update that code and enter that updated code in MFA code 2

  10. Click on Assign MFA



CLI Remediation:

aws iam enable-mfa-device
--user-name
--serial-number
--authentication-code-1
--authentication-code-2


Backout plan:

If you want to remove MFA for the user follow the same steps in the Implementation section and after clicking on the manage you will get an option to remove MFA.

References:


CIS Controls: 

4.5 Use Multifactor Authentication For All Administrative Access 

  • Use multi-factor authentication and encrypted channels for all administrative account access.