Profile Applicability: Level 1


Description:

Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.


Rationale:

Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.


Impact:

Protect your environment by using MFA, a security feature available at no extra cost that augments user name and password credentials. MFA requires users to prove physical possession of a hardware MFA token or MFA-enabled mobile device by providing a valid MFA code.


Default Value:

By default, AWS will not enable MFA for any user, as per your security concern you can enable it anytime. To do follow the steps below.


Audit:

Perform the following to determine if an MFA is enabled for all IAM users having a console password:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. If the MFA column is not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to MFA, then click Close.

  5. From the MFA column check whether MFA is enabled or not

Remediation:

Pre-Requisites

  • There should be a user available with MFA not enabled.

  • Make sure MFA hardware device is available or Authenticator app installed

Implementation Steps

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on the user for whom you want to enable MFA and go to the Security Credentials tab
    Click on Manage in the Assigned MFA device section

  5. By clicking on Manage you will get options available like Virtual MFA deviceU2F security keyOther hardware MFA device. Select any one of the options you want and click continue.

  6. Based on the option you selected, it will take you through setting up MFA.

Backout plan

If you want to remove MFA for the user follow the same steps in the Implementation section and after clicking on the manage you will get an option to remove MFA.



CLI Remediation

aws iam enable-mfa-device
  --user-name 
  --serial-number 
  --authentication-code-1 
  --authentication-code-2 


References:


CIS Controls: 

4.5 Use Multifactor Authentication For All Administrative Access 

  • Use multi-factor authentication and encrypted channels for all administrative account access.