Profile Applicability:
Level 1
Description:
AWS IAM users with a console password should have Multi-Factor Authentication (MFA) enabled to provide an additional security layer beyond a password. When MFA is enabled, users must provide:
Username & password
A time-sensitive authentication code from a virtual or hardware MFA device
AWS will no longer support SMS MFA, so all users should switch to alternative MFA methods.
Rationale:
Increases security by requiring a second authentication factor.
Prevents unauthorized access in case of compromised credentials.
Protects against phishing, credential stuffing, and brute-force attacks.
Required for compliance with security frameworks (CIS, SOC 2, ISO 27001).
Impact:
Failure to enable MFA increases the risk of unauthorized access to AWS accounts.
IAM users with console passwords but no MFA are more vulnerable to credential leaks.
Compliance issues with security policies requiring strong authentication.
Default Value:
By default, AWS does not enforce MFA for IAM users.
IAM users can log in with only a password unless MFA is manually enabled.
Pre-Requisites:
AWS IAM Administrator Access:
Permissions required: iam:ListUsers, iam:ListMFADevices, iam:EnableMFADevice.
MFA Device Availability:
Users should have access to a virtual MFA app or hardware MFA token.
User Communication:
Notify users that MFA will be enforced and provide setup instructions.
Remediation:
Test Plan:
Using AWS Console :
Open the IAM Console: AWS IAM Console.
In the left panel, select Users.
Click the gear icon in the top-right corner of the user table.
Ensure the "MFA" and "Password age" columns are visible.
For each IAM user where "Password age" is set, ensure that the "MFA" column shows:
Virtual MFA, U2F Security Key, or Hardware.
If any user with a password does not have MFA, they are non-compliant.
Using AWS Command Line:
Generate a credential report:
aws iam generate-credential-report
Retrieve and process the credential report:
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8
The output will look like this:
user,password_enabled,mfa_active elise,false,false brandon,true,true rakesh,false,false helene,false,false paras,true,true anitha,false,false
- Ensure that for any user where password_enabled = true, the mfa_active field is also true.
Implementation Steps:
Step 1: Enable MFA for IAM Users via Console
Open the IAM Console: AWS IAM Console.
Click Users.
Select the IAM user that needs MFA.
Go to the Security Credentials tab.
Click Manage MFA Device.
In the MFA Setup Wizard, choose:
Virtual MFA device (e.g., Google Authenticator).
U2F Security Key (e.g., YubiKey).
Hardware MFA Token.
Scan the QR Code or enter the secret key manually.
Enter two consecutive MFA codes from the MFA device.
Click Assign MFA.
Step 2: Enable MFA for IAM Users via CLI
List IAM users without MFA:
aws iam list-users --query 'Users[*].[UserName]' --output table
Enable MFA for a specific user:
aws iam enable-mfa-device --user-name <user-name> --serial-number <mfa-serial> --authentication-code-1 <code1> --authentication-code-2 <code2>
Replace <mfa-serial> with the MFA device ARN.
Replace <code1> and <code2> with the first two consecutive codes from the MFA device.
Backout Plan:
If a user cannot access AWS due to MFA issues: An IAM administrator should disable MFA using:
aws iam deactivate-mfa-device --user-name <user-name> --serial-number <mfa-serial>
The user should reset their MFA device and reconfigure it.
Re-enable MFA after resolving issues.