iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that all IAM users who are members of groups granted the AdministratorAccess managed policy have Multi-Factor Authentication (MFA) enabled. MFA adds a critical layer of security by requiring users to provide an additional verification factor (such as a virtual or hardware token) beyond their password when accessing the AWS Management Console or making sensitive API calls.

Rationale:
Administrator-level accounts have unrestricted privileges to modify, delete, or create AWS resources. Without MFA, if an administrator’s password is compromised, an attacker could gain full control of the AWS environment. Enabling MFA for all administrative users significantly reduces the risk of account compromise, credential theft, or unauthorized access — aligning with CIS, SOC 2, ISO 27001, and NIST 800-53 control requirements.

Impact:
Positive Impact: Adds a strong layer of protection against unauthorized access and credential theft, ensuring that administrative accounts remain secure.
Negative Impact: Users must use an additional authentication device or app during login, which may slightly increase login time or require additional setup support.

Default Value:
By default, IAM users are not required to use MFA. MFA must be manually enabled per user.

Pre-Requisite:

• IAM permissions required: iam:ListGroups, iam:ListGroupPolicies, iam:ListAttachedGroupPolicies, iam:ListUsers, iam:ListMFADevices.

• Administrator group using the AdministratorAccess managed policy.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console using an IAM account with administrative permissions.

2. Navigate to IAM → User groups.

3. Identify all groups attached with the AdministratorAccess policy:

   • Select each group → Permissions tab → Verify that AdministratorAccess is attached.

4. Navigate to IAM → Users.

5. For each user in these groups:

   • Go to Security credentials tab.

   • Check Assigned MFA device status.

6. If a user in an AdministratorAccess group does not have MFA assigned, they are non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Users.

2. Select the non-compliant user.

3. Go to the Security credentials tab.

4. Under Multi-factor authentication (MFA), click Assign MFA device.

5. Choose one of the following MFA options:

   • Virtual MFA device (e.g., Authy, Google Authenticator).

   • Hardware MFA device (e.g., YubiKey).

   • FIDO2 security key (e.g., biometric or USB device).

6. Follow the setup instructions to pair and verify the MFA device.

7. Once activated, the user will be required to authenticate with both password and MFA token at login.


Backout Plan:

1. If a user cannot access their MFA device, an IAM administrator can deactivate the existing MFA device and reassign a new one via IAM → Users → Security credentials → Remove MFA device.

2. Temporary access should be granted only through secure administrative approval.
   
   

References:

• AWS IAM MFA Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.14

• NIST 800-53 Rev. 5 – IA-2: Identification and Authentication (Organizational Users)

• AWS Security Best Practices Whitepaper