Profile Applicability:
Level 1


Description:
This control ensures that all AWS IAM users who have been assigned a console password also have Multi-Factor Authentication (MFA) enabled. MFA requires users to provide an additional verification factor (such as a code from a hardware or virtual MFA device) during login, adding an essential layer of protection against unauthorized access due to stolen or compromised credentials.


Rationale:
Enforcing MFA for IAM users significantly reduces the risk of account compromise. Passwords alone are susceptible to phishing, credential stuffing, and brute-force attacks. By requiring a second factor—such as a hardware token, virtual MFA app, or FIDO2 device—organizations can better protect their AWS accounts and comply with security frameworks like CIS, SOC 2, ISO 27001, HIPAA, and NIST 800-53.

Impact:
Positive Impact: Strengthens access security by preventing unauthorized access through stolen passwords and aligns with compliance standards and best practices.
Negative Impact: May cause slight inconvenience during login and requires users to configure and manage MFA devices.

Default Value:
By default, AWS does not enforce MFA for IAM users. MFA must be manually enabled for each user with console access.

Pre-Requisite:

  • IAM permissions required: iam:ListUsers, iam:ListMFADevices, iam:EnableMFADevice, iam:CreateVirtualMFADevice, and iam:DeleteVirtualMFADevice.

  • Users must have a console login password configured.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console with administrative permissions.

  2. Navigate to IAM → Users.

  3. For each user:

    • Go to the Security credentials tab.

    • Check under Console password to confirm whether the user has console access.

    • Review the Assigned MFA device section.

  4. If a user has a console password but no MFA device assigned, they are non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Users.

  2. Select the IAM user who has console access.

  3. Click the Security credentials tab.

  4. In the Multi-Factor Authentication (MFA) section, choose Assign MFA device.

  5. Select the desired MFA type:

    • Virtual MFA device (e.g., Authy, Google Authenticator, Microsoft Authenticator)

    • Hardware MFA device (e.g., YubiKey, Gemalto token)

  6. Follow the setup instructions:

    • For Virtual MFA, scan the QR code or enter the secret key into the MFA app.

    • Enter two consecutive authentication codes generated by the MFA device.

  7. Click Assign MFA to complete setup.

  8. Confirm the device is active under the Assigned MFA device section.

Backout Plan:

  1. If a user loses access to their MFA device:

    • Sign in using an administrative account.

    • Navigate to IAM → Users → Security credentials.

    • Under Assigned MFA device, click Remove.

  2. Immediately assign a new MFA device to the user to avoid leaving the account unprotected.

References: