Description: 

The users of groups with the "AdministratorAccess" policy have the most privileged users in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.


Note: When virtual MFA is used for Administrator privileges, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal device. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.


Rationale: 

MFA increased security, It helps to protect AWS resources, it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.


Impact:

MFA adds an extra security layer because it requires users to provide unique authentication from an AWS-supported MFA mechanism in addition to their regu sign-in credentials when they access AWS websites or services. If Hacker finds out the password, it needs to pass through one extra layer: MFA needs a device for authentication.


Default Value:

By Default, MFA is not activated for any users if you want to activate MFA for the user you need to login into the root user account.


Audit:

Perform the following  setup to determine MFA in IAM users who contain AdministratorAccess policy:

Step 1: Sign in to AWS console as the IAM Admin user https://console.aws.amazon.com/iam/

Step 2: Click on Policy in the left navigation pane

Step 3: Click on  AdministratorAccess 

Step 4: In Summary, you click on the Policy usage tab in this tab you find which IAM entity is attached with this policy.

Step 5:  For audit click on the IAM entity(Group or User) which is attached with this policy 

Step 6: In the Summary part you click on the Security credentials tab

Step 6:  We see in the Sign-in credential  Assigned MFA device is assigned or not 

Step 7:  For auditing follow the step 3-6 for all other IAM users who contain AdministratorAccess policy.


Via CLI:

Perform the following to determine if the root account has MFA setup in CLI:

  1. Run the following command

    aws iam get-account-summary | grep “AccountMFAEnabled”

    Ensure the AccountMFAEnabled property is set to 1


Remediation:

Pre-Requisite:

  1. If you want to activate MFA in those IAM users who contain AdministratorAccess policy you need to log in as an IAM user.

  2. You need a software app that runs on a phone or other device.

  3. Here we use a Virtual MFA device if you want to go with  one of the other options you need an external device 


Implementation Steps:

Perform the following to establish MFA for the user

Step 1: Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

Step 2: Click on Users in the left navigation pane

Step 3: Click on the user who contains AdiministratorAccess policy and it is not assigned MFA 

Step 4: In Summary, you click on Security credentials tab


Step 5: In the Assigned MFA device click on Manage 

Step 6: In the wizard “Manage MFA device” we have three options Virtual(software-based) MFA device, U2F security key (USB device-based), the last one is another hardware MFA device. From there you can choose any of the options. (Note: Here we are going with the Virtual MFA device for implementation). Select Virtual MFA device

Step 7: We see steps to set up a virtual MFA device as below

1. Install a compatible app on your mobile device or computer
2. Use your virtual MFA app and your device’s camera to scan the QR code.
Using the compatible application through a mobile device we scan the QR code or we can type the secret key


Step 8: Open your virtual MFA application here We use Microsoft Authenticator you can use anyone from the list which hosting virtual MFA devices, If the virtual MFA application supports multiple accounts( multiple virtual MFA devices), choose to create a new account (a new virtual MFA device).

Step 9: Determine whether the MFA app supports QR codes, and then do one of the following:
1. Use the app to scan the QR code.
2. In the Manage MFA Device wizard, choose the secret key for manual configuration and then type the secret configuration key into your MFA application.

Step 10: When you finished the virtual MFA device starts generating one-time passwords.
1. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device and then wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. then click on Assing MFA

Step 11: You can see a successful message on your screen click on the close button



Backout Plan:

Following Steps to remove the MFA form IAM User:

Step 1: Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

Step 2: Click on Users in the left navigation pane

Step 3: Click on the user which have assigned MFA

Step 4: In Summary, you click on Security credentials 

Step 5: Click on Manage of Assigned MFA device

Step 6: Select Remove in Manage MFA device 

Step 7: Click on the Remove button


References:

  1. Security best practices in IAM - AWS Identity and Access Management 

  2. Enabling a virtual multi-factor authentication (MFA) device (console) - AWS Identity and Access Management 

  3. IAM tutorial: Permit users to manage their credentials and MFA settings - AWS Identity and Access Management