Profile Applicability

  • Level 1

Description:

Multi-factor authentication (MFA) provides an additional layer of security by requiring users to present more than just their password to access AWS resources. When enabled, MFA helps prevent unauthorized access to accounts, even if a password is compromised.

This control ensures that all IAM users who have a console password are required to enable MFA. This is important for securing user accounts, especially those with administrative privileges or access to sensitive resources.

Rationale:

Requiring MFA for IAM users:

  • Adds an extra layer of security by requiring a second factor (e.g., a hardware token, mobile app, or SMS-based code) in addition to a password.

  • Protects against unauthorized access, even if an attacker manages to obtain an IAM user’s password.

  • Meets security best practices and compliance requirements, such as those from NIST or PCI DSS, which require the use of MFA for sensitive access.

By enforcing MFA for all IAM users with console access, organizations can significantly reduce the risk of account compromise.

Impact:

Failure to enable MFA for IAM users with console passwords can lead to:

  • Increased risk of account compromise if an attacker gains access to a password.

  • Potential data breaches or unauthorized actions being performed by compromised accounts.

  • Non-compliance with security regulations and standards.

Enabling MFA for all IAM users with console access strengthens the security of your AWS environment by reducing the risk of unauthorized access.

Default Value:

By default, MFA is not enabled for IAM users. It must be manually configured for each IAM user with console access.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions to view and update IAM user settings

  • Access to the AWS Management Console or CLI to enable MFA for users

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM > Users.

  3. Verify that IAM users who have console access are listed.

  4. Check the Security credentials tab for each user to see if MFA is enabled.

  5. If MFA is not enabled for a user with console access, initiate the MFA setup process.

Using AWS CLI To list all IAM users and check if MFA is enabled for those with console access:

aws iam list-users --query "Users[?PasswordLastUsed].UserName" --output table

To check if MFA is enabled for a specific IAM user:

aws iam list-mfa-devices --user-name <user-name> --output table


Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM > Users > <IAM user> > Security credentials tab.

  3. Under Multi-factor authentication (MFA), click Assign MFA device.

  4. Choose the MFA device type (e.g., Virtual MFA device or Hardware MFA device).

  5. Follow the prompts to enable MFA for the IAM user, and verify the MFA device by entering the authentication code.

  6. Repeat for all IAM users with console access.

Using AWS CLI:

  1. Create a virtual MFA device:

aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa-device-name> --outfile <file-path>

  1. Associate the virtual MFA device with the IAM user:

aws iam enable-mfa-device --user-name <user-name> --serial-number <mfa-device-serial-number> --authentication-code1 <first-code> --authentication-code2 <second-code>

  1. Repeat for all IAM users with console access.

Backout Plan:

Using AWS Console:

  1. If enabling MFA causes issues for users:

    • Sign in to the IAM Console and navigate to Users.

    • Under Security credentials, select the affected user.

    • Disable the MFA device or assign a different MFA device to resolve issues.

  2. If users cannot access their account with MFA:

    • Verify the MFA device is properly configured.

    • If necessary, remove the MFA device and reconfigure it:

      • Click Remove next to the MFA device, then assign a new MFA device.

Using AWS CLI:

  1. If MFA is not working properly for an IAM user:

    • To remove an MFA device:

aws iam deactivate-mfa-device --user-name <user-name> --serial-number <mfa-device-serial-number>

  • Re-enable MFA after troubleshooting the issue.

  1. If an IAM user cannot access the system due to MFA:

    • Remove the MFA device temporarily:

aws iam deactivate-mfa-device --user-name <user-name> --serial-number <mfa-device-serial-number>

  • Reconfigure MFA once the issue is resolved.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.5

Implement Strong Authentication for All Users

CIS v8

4.6

Secure Authentication Methods for Cloud Accounts

CIS v7

4.3

Enforce Strong Passwords and Access Control Policies

aws iam deactivate-mfa-device --user-name <user-name> --serial-number <mfa-device-serial-number>