Description: 

The users of groups with the "AdministratorAccess" policy have the most privileged users in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.


Note: When virtual MFA is used for Administrator privileges, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal device. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.


Rationale: 

MFA increased security, It helps to protect AWS resources, it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.


Impact:

MFA adds an extra security layer because it requires users to provide unique authentication from an AWS-supported MFA mechanism in addition to their regu sign-in credentials when they access AWS websites or services. If Hacker finds out the password, it needs to pass through one extra layer: MFA needs a device for authentication.


Default Value:

By Default, MFA is not activated for any users if you want to activate MFA for the user you need to login into the root user account.


Pre-Requisite:

  1. If you want to activate MFA in those IAM users who contain AdministratorAccess policy you need to log in as an IAM user.

  2. You need a software app that runs on a phone or other device.

  3. Here we use a Virtual MFA device if you want to go with  one of the other options you need an external device 



Remediation:

Test Plan: 

  1. Sign in to AWS console as the IAM Admin user https://console.aws.amazon.com/iam/
  2. Click on Policy in the left navigation pane
  3. For audit click on the IAM entity(Group or User) which is attached with this policy 
  4. In the Summary part you click on the Security credentials tab
  5. We see in the Sign-in credential  Assigned MFA device is assigned or not
  6. For auditing follow the step 3-6 for all other IAM users who contain AdministratorAccess policy. 

Using AWS CLI 

  1. Run the following command
    aws iam get-account-summary | grep “AccountMFAEnabled”

  2. Ensure the AccountMFAEnabled property is set to 1

Implementation Steps:

  1. Perform the following to establish MFA for the user
  2. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  3. Click on Users in the left navigation pane
  4. Click on the user who contains AdiministratorAccess policy and it is not assigned MFA 
  5. In Summary, you click on Security credentials tab
  6.  In the Assigned MFA device click on Manage 
  7.  In the wizard “Manage MFA device” select Virtual(software-based) MFA device
  8. Your device’s camera to scan the QR code. 
  9. You can see a successful message on your screen click on the close button

Backout Plan:

Following Steps to remove the MFA form IAM User:

  1.  Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
  2.  Click on Users in the left navigation pane
  3.  Click on the user which have assigned MFA
  4.  In Summary, you click on Security credentials 
  5. Click on Manage of Assigned MFA device
  6. Select Remove in Manage MFA device 
  7. Click on the Remove button


References:

  1. Security best practices in IAM - AWS Identity and Access Management 

  2. Enabling a virtual multi-factor authentication (MFA) device (console) - AWS Identity and Access Management 

  3. IAM tutorial: Permit users to manage their credentials and MFA settings - AWS Identity and Access Management