Profile Applicability: Level 1


Description:

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.


Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal devices. ("non-personal virtual MFA). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.


Rationale:

Enabling MFA provides increased security for console access, as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential. 


Audit: 

  1. Sign in to the AWS Management Console using the root account credentials.

  2. Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu. 

  3. On Your Security Credentials page, click on the Multi-factor authentication (MFA) tab to expand the panel with the MFA configuration settings available for the root account.

  4. On the Multi-factor authentication (MFA) panel, check for any MFA devices enabled for the AWS root account. 


Using AWS CLI

Run the following command:

aws iam get-account-summary | grep "AccountMFAEnabled"

Implementation Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console as root user.

  2. On the right side of the navigation bar, choose your account name, and choose My Security Credentials. If necessary, choose Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.

  3. Choose Assign MFA device. 

  4. In the wizard, choose Virtual MFA device, and then choose Continue.

    IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.

  5. Open the virtual MFA app on the device.
    If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.

  6. The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually. The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.

    • To use the QR code to configure the virtual MFA device, from the wizard, choose Show QR code. Then follow the app instructions for scanning the code. For example, you might need to choose the camera icon or choose a command like Scan account barcode, and then use the device's camera to scan the QR code.

    • In the Manage MFA Device wizard, choose Show secret key, and then type the secret key into your MFA app.

    • The device starts generating six-digit numbers.

  7. In the Manage MFA Device wizard, in the MFA Code 1 box, enter the six-digit number that's currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the MFA Code 2 box.

  8. Choose Assign MFA, and then choose Finish.


Using AWS CLI

aws iam enable-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
--authentication-code1 123456 \
--authentication-code2 789012


Backout Plan:

  • AWS Console Process

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

  2. On the right side of the navigation bar, choose on your account name, and then choose My Security Credentials. If necessary, choose Continue to Security Credentials

  3. In the Multi-factor authentication (MFA) section, choose the radio button next the MFA device that you want to deactivate and choose Remove.

  4. Choose Remove.


Using AWS CLI

Run this command:

aws iam deactivate-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \

Note:

When virtual MFA is used for a Root Account, we recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed, kept charged and secured independently of any individual personal devices. This is known as a "non-personal virtual MFA". This reduces the risk of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.

Reference:

Using multi-factor authentication (MFA) in AWS - AWS Identity and Access Management 

Deactivating MFA devices - AWS Identity and Access Management 


CIS Controls:

4.5 Use Multifactor Authentication For All Administrative Access

Use multi-factor authentication and encrypted channels for all administrative account access.