iCompaas Support

Profile Applicability:

• Level 1

Description:
 Multi-Factor Authentication (MFA) adds an additional layer of security by requiring a second form of verification (such as an OTP or device-based approval) when users sign in. This is especially critical for protecting sensitive AWS database configurations and account access.

Rationale:
 Using MFA helps prevent unauthorized access to your AWS environment even if a password is compromised. It reduces the likelihood of successful phishing, credential stuffing, and brute-force attacks.

Impact:
 Requiring MFA for IAM users enhances account protection, though it may introduce minor login delays. Properly managing MFA setup and user onboarding is essential to avoid lockouts.

Default Value:
 MFA is not enabled by default for any IAM users or the root account.

Pre-requisites:

• IAM user(s) created
  

• Admin permissions to assign and manage MFA devices
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to IAM > Users.
   

3. Select a user and go to the Security credentials tab.
   

4. Check whether Assigned MFA device is present and enabled.
   

Using AWS CLI:

1. List IAM users:
   

    aws iam list-users

2. Check MFA devices associated with a user:
   

    aws iam list-mfa-devices --user-name <username>

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Go to IAM > Users, and select the target user.
   

3. Click on Security credentials tab.
   

4. Under Assigned MFA device, click Manage.
   

5. Select Virtual MFA device or Hardware MFA device.
   

6. Follow on-screen steps to scan QR code or enter device serial.
   

7. Enter two consecutive OTPs generated by the device.
   

8. Click Assign MFA.
   

Using AWS CLI:

1. Create a virtual MFA device:
   

   aws iam create-virtual-mfa-device --virtual-mfa-device-name <device-name> --outfile <path-to-qr-code-image> --bootstrap-method QRCodePNG

2. Enable the MFA device with two consecutive authentication codes:
   

   aws iam enable-mfa-device --user-name <username> --serial-number <arn-of-mfa-device> --authentication-code1 <first-code> --authentication-code2 <second-code>

Backout Plan

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Go to IAM > Users, and select the target user.
   

3. Click on Security credentials tab.
   

4. Under Assigned MFA device, click Remove.
   

5. Confirm removal.
   

Using AWS CLI:

1. Deactivate the MFA device:
   

   aws iam deactivate-mfa-device --user-name <username> --serial-number <arn-of-mfa-device>

2. Delete the virtual MFA device:
   

    aws iam delete-virtual-mfa-device --serial-number <arn-of-mfa-device>

References:

• AWS MFA Setup Guide

• CIS AWS Database Services Benchmark v1.0.0, Section 2.12