Description:
The users of groups with the "AdministratorAccess" policy have the most privileged users in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
Note: When virtual MFA is used for Administrator privileges, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal device. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.
Rationale:
MFA increased security, It helps to protect AWS resources, it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.
Impact:
MFA adds an extra security layer because it requires users to provide unique authentication from an AWS-supported MFA mechanism in addition to their regu sign-in credentials when they access AWS websites or services. If Hacker finds out the password, it needs to pass through one extra layer: MFA needs a device for authentication.
Default Value:
By Default, MFA is not activated for any users if you want to activate MFA for the user you need to login into the root user account.
Pre-Requisite:
If you want to activate MFA in those IAM users who contain AdministratorAccess policy you need to log in as an IAM user.
You need a software app that runs on a phone or other device.
Here we use a Virtual MFA device if you want to go with one of the other options you need an external device
Remediation:
Test Plan:
- Sign in to AWS console as the IAM Admin user https://console.aws.amazon.com/iam/
- Click on Policy in the left navigation pane
- For audit click on the IAM entity(Group or User) which is attached with this policy
- In the Summary part you click on the Security credentials tab
- We see in the Sign-in credential Assigned MFA device is assigned or not
- For auditing follow the step 3-6 for all other IAM users who contain AdministratorAccess policy.
Using AWS CLI
- Run the following command
aws iam get-account-summary | grep “AccountMFAEnabled”
- Ensure the AccountMFAEnabled property is set to 1
Implementation Steps:
- Perform the following to establish MFA for the user
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- Click on Users in the left navigation pane
- Click on the user who contains AdiministratorAccess policy and it is not assigned MFA
- In Summary, you click on Security credentials tab
- In the Assigned MFA device click on Manage
- In the wizard “Manage MFA device” select Virtual(software-based) MFA device
- Your device’s camera to scan the QR code.
- You can see a successful message on your screen click on the close button
Backout Plan:
Following Steps to remove the MFA form IAM User:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
- Click on Users in the left navigation pane
- Click on the user which have assigned MFA
- In Summary, you click on Security credentials
- Click on Manage of Assigned MFA device
- Select Remove in Manage MFA device
- Click on the Remove button