iCompaas Support

Description: 

Multi-Factor Authentication (MFA) helps to protect your AWS resources. You can enable MFA for IAM users or the AWS account root user. IAM users contain their own credentials means each identity has its own MFA configuration. This Multi-Factor Authentication works as an extra layer of protection on top of a user name and password and we know that those users or groups with Administrator Access policy also access all services and resources in this type of group users are the 2nd in charge after the root user in this group users is also most privileged user in an AWS account. This extra layer protection enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. 

Note: When virtual MFA is used for Administrator privileges, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal device. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.

Rationale: 

MFA increased security, It helps to protect AWS resources, it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.

Impact:

MFA adds an extra security layer because it requires users to provide unique authentication from an AWS-supported MFA mechanism in addition to their region sign-in credentials when they access AWS websites or services. If Hacker finds out the password, it needs to pass through one extra layer: MFA needs a device for authentication.

Default Value:

By Default, MFA is not activated for any users if you want to activate MFA for the user you need to login into the root user account.

Pre-Requisite:

1. If you want to activate MFA in those IAM users who contain AdministratorAccess policy you need to log in as an IAM user.

2. You need a software app that runs on a phone or other device.

3. Here we use a Virtual MFA device if you want to go with  one of the other options you need an external device 

Remediation:

Test Plan: 

1. Sign in to AWS console as the IAM Admin user https://console.aws.amazon.com/iam/
2. Click on Policy in the left navigation pane.
3. Click on  Administrator Access.
4.  In Summary, you click on the Policy usage tab in this tab you find which IAM entity is attached with this policy. 
5. For audit click on the IAM entity(Group or User) which is attached with this policy.
   
6. In the Summary part you click on the Security credentials tab.
7. We see in the Sign-in credential  Assigned MFA device is assigned or not as per the above pic, MFA device is not assigned to this IAM user.
   
8. Step 7:  For auditing follow the step 3-6 for all other IAM users who contain AdministratorAccess policy.
   
   

Using AWS CLI 

1. Run the following command

   aws iam get-account-summary | grep “AccountMFAEnabled”

2. Ensure the AccountMFAEnabled property is set to 1

Implementation Steps:

1. Perform the following to establish MFA for the user
2. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
3. Click on Users in the left navigation pane
4. Click on the user who contains AdiministratorAccess policy and it is not assigned MFA.
5. In Summary, you click on Security credentials tab
   
6.  In the Multi-factor authentication (MFA) click on Assign MFA Device.
7. In the wizard “Manage MFA device” we have three options Virtual(software-based) MFA device, U2F security key (USB device-based), the last one is another hardware MFA device. From there you can choose any of the options. (Note: Here we are going with the Virtual MFA device for implementation). Select Virtual MFA device.
8. We see steps to set up a virtual MFA device as below
   1. Install a compatible app on your mobile device or computer
   2. Use your virtual MFA app and your device’s camera to scan the QR code.
   Using the compatible application through a mobile device we scan the QR code or we can type the secret key.
9. Open your virtual MFA application here We use Microsoft Authenticator you can use anyone from the list which hosting virtual MFA devices, If the virtual MFA application supports multiple accounts( multiple virtual MFA devices), choose to create a new account (a new virtual MFA device).
10. Determine whether the MFA app supports QR codes, and then do one of the following:
    1. Use the app to scan the QR code.
    2. In the Manage MFA Device wizard, choose the secret key for manual configuration and then type the secret configuration key into your MFA application.
11. When you finished the virtual MFA device starts generating one-time passwords.
    1. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device and then wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. then click on Assing MFA
12. You can see a successful message on your screen click on the close button.
    
    

Backout Plan:

Following Steps to remove the MFA form IAM User:

1.  Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
2.  Click on Users in the left navigation pane.
3.  Click on the user which have assigned MFA.
    
4.  In Summary, you click on Security credentials.
5. Click on Manage of Assigned MFA device.
6. Select Remove in Manage MFA device 
7. Click on the Remove button

References:

1. Security best practices in IAM - AWS Identity and Access Management 

2. Enabling a virtual multi-factor authentication (MFA) device (console) - AWS Identity and Access Management 

3. IAM tutorial: Permit users to manage their credentials and MFA settings - AWS Identity and Access Management 

4. For compatible https://aws.amazon.com/iam/features/mfa/?audit=2019q1