Logo of Trend Micro

Enable MFA for Root Account

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Multi-Factor Authentication (MFA) is enabled for your Alibaba Cloud root account in order to secure your cloud environment and adhere to cloud security best practices.

Security

Having an MFA-protected root account is one of the best ways to protect your Alibaba Cloud services and resources against hacking. An MFA device signature adds an extra layer of protection on top of your existing root account credentials, making your cloud account virtually impossible to penetrate without the unique passcode generated by the MFA device.

Audit

To determine if your Alibaba Cloud root account is MFA-protected, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under RAM, choose Overview.

04 In the Security Check section, ensure that Enable MFA for Root Account feature status is set to Finished. If Enable MFA for Root Account status is not set to Finished, your Alibaba Cloud root account is not MFA-protected and the authentication process for the root account is not following cloud security best practices.

Using Alibaba Cloud CLI

01 Run GenerateCredentialReport command (OSX/Linux/UNIX) with custom output filters to generate the credential report for your Alibaba Cloud account. A credential report is a CSV document that lists all the existing users (including the root account user) and the current status of their access credentials: 

aliyun ims GenerateCredentialReport 
  --output cols=State

02 The command output should return the request status: 

State
-----
COMPLETED

03 Run GetCredentialReport command (OSX/Linux/UNIX) to obtain the credential report for your Alibaba Cloud account, generated at the previous step: 

aliyun ims GetCredentialReport
  --output cols=Content

04 The command output should return the requested document in a TEXT/CSV format. The document is encoded with the Base64 encoding scheme, as shown in the example below: 

Content
-------
abcdabcdabcdabcdabcdabcd ... abcdabcdabcdabcdabcdabcd

05 Decode the credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step. In the following example, the report is decoded and saved to a file named tm-credentials-report.csv: 

echo "abcdabcdabcdabcdabcdabcd ... abcdabcdabcdabcdabcdabcd" | base64 -d > tm-credentials-report.csv

06 Open tm-credentials-report.csv in a TEXT/CSV editor and check the value available in the mfa_active column for the \ user. If the value set for the mfa_active attribute is FALSE, your Alibaba Cloud root account is not MFA-protected and the authentication process for the root account is not following cloud security best practices.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) protection for your Alibaba Cloud root account, perform the following operations:

Note 1: As an example, to demonstrate the procedure, the Remediation section employ Google Authenticator, an extensively adopted virtual MFA device that conforms to the Time-Based One-Time Cipher Algorithm (TOTP).
Note 2: Enabling MFA protection for the root account via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account using the root account credentials.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under RAM, choose Overview.

04 In the Security Check section, choose Enable MFA for Root Account, and select Set Now to access the Security Settings page.

05 Choose Edit from the Account Protection section, and perform the following actions:

  1. For Please select the Scenes that needed to be protected select Log in. (Optional) To enforce MFA protection for root account configuration changes, select Modify account information (modify email / modify phone / unbind TOTP).
  2. For Please select the verification method to be used, select TOTP (Verify your identity by the dynamic code generated by the Google Authenticator app).
  3. Choose Submit to submit the changes.

06 On the Identity Verification setup page, perform the following operations:

  1. For 1 Verify Identity, follow the setup wizard to verify your identity. Choose Next to continue.
  2. For 2 Install the application, install Google Authenticator. This KB guide assumes that you have already installed Google Authenticator on your mobile device, otherwise follow the official Google documentation to install the application. Choose Next to continue the setup process.
  3. For 3 Enable the MFA, open the Google Authenticator app, choose the Add button, and select Scan a QR code to scan the QR code generated by the MFA setup wizard in order to get a 6-digit verification code. Enter the verification code generated by Google Authenticator in the 6 digits box and choose Next to complete the MFA device setup process. If successful, Alibaba Cloud console will display the following confirmation message: The account protection has been successfully set. Choose Return to my Alibaba Cloud to return to the Security Settings page. The new virtual MFA device will be required during root account user sign-in.

References

Publication date Apr 25, 2024

Related AlibabaCloud-RAM rules