Profile Applicability:
Level 1

Description:
This control ensures that all AWS Identity and Access Management (IAM) users have Hardware Multi-Factor Authentication (MFA) devices enabled. Hardware MFA provides a physical, tamper-resistant authentication factor, significantly strengthening account security compared to password-only or virtual MFA methods. It reduces the risk of unauthorized access caused by phishing, credential theft, or compromised passwords.


Rationale:
Hardware MFA adds a robust layer of protection to user accounts, especially for administrative and privileged users. Unlike virtual MFA apps, hardware devices are resistant to malware, mobile device compromise, and SIM swap attacks. Enforcing hardware MFA helps secure AWS environments against unauthorized account access and aligns with best practices recommended by CIS, SOC 2, ISO 27001, PCI DSS, and NIST 800-63B.

Impact:
Positive Impact: Enhances account security by ensuring only users with physical, verified devices can authenticate, reducing the likelihood of credential-based breaches.
Negative Impact: Requires purchasing and managing physical MFA devices, and users must have access to them during sign-in, which may cause delays if misplaced.

Default Value:
By default, IAM users do not have MFA enabled. MFA (virtual or hardware) must be configured manually for each user.

Pre-Requisite:

  • IAM permissions required: iam:ListUsers, iam:ListMFADevices, and iam:EnableMFADevice.

  • Hardware MFA devices (e.g., YubiKey, Gemalto, or any FIDO2-compliant hardware key).

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console using administrative credentials.

  2. Navigate to IAM → Users.

  3. Select a user account.

  4. Under the Security credentials tab, scroll to the Assigned MFA device section.

  5. Verify that:

    • Assigned MFA device type is Hardware (U2F or FIDO2).

    • If no MFA device or only Virtual MFA is listed, the user is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Users.

  2. Select the IAM user who needs hardware MFA.

  3. Go to the Security credentials tab.

  4. In the Multi-factor authentication (MFA) section, click Assign MFA device.

  5. Choose Hardware MFA device.

  6. Enter the serial number from the physical MFA token.

  7. Generate two consecutive authentication codes using the hardware device and enter them when prompted.

  8. Click Assign MFA to complete the setup.

  9. Instruct users to keep their hardware MFA devices secure and report immediately if lost or stolen.

Backout Plan:

  1. If a hardware MFA device becomes unavailable (e.g., lost or malfunctioning), temporarily disable it:

    • Go to IAM → Users → Security credentials.

    • Under Assigned MFA device, click Remove.

  2. Assign a new hardware MFA device or use a temporary virtual MFA for short-term access, ensuring prompt re-enablement of hardware MFA.

References: