Logo of Trend Micro

MFA For RAM Users With Console Password

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AlibabaCloud-RAM-001

Ensure that Multi-Factor Authentication (MFA) is enabled for all RAM users with console access within your Alibaba Cloud account in order to secure your cloud environment and adhere to Resource Access Management (RAM) security best practices.

Security

Having MFA-protected RAM users is one of the best ways to protect your Alibaba Cloud services and resources against hacking. An MFA device signature adds an extra layer of protection on top of your existing RAM user credentials (username and password), making your cloud account virtually impossible to penetrate without the MFA-generated passcode.

Audit

To determine if your RAM users are MFA-protected, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Users.

04 Click on the name (link) of the RAM user that you want to examine, listed in the User Logon Name/Display Name column.

05 Select the Authentication tab to access the authentication configuration information available for the selected user.

06 In the Console Logon Management section, check the Console Access attribute value to determine if the console access for the user is enabled. If Console Access is set to Enabled, check the Required to Enable MFA attribute value. If Required to Enable MFA is set to No, the selected RAM user is not MFA-protected, therefore the user authentication process is not following Resource Access Management (RAM) security best practices.

07 Repeat steps no. 4 – 6 for each RAM user available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ListUsers command (OSX/Linux/UNIX) with custom output filters to list the name of each RAM user available within your Alibaba Cloud account: 

aliyun ram ListUsers 
  --output cols=UserName

02 The command output should return a list with the requested RAM user identifiers: 

UserName
--------
tm-project-admin
tm-project-developer

03 Run GetLoginProfile command (OSX/Linux/UNIX) with the name of the Resource Access Management (RAM) user that you want to examine as the identifier parameter, to determine if the selected RAM user has console access: 

aliyun ram GetLoginProfile 
  --UserName tm-project-admin

04 The command output should return the user login profile information or an error message if there is no login profile created for the selected user. If the command output returns the "LoginProfile" object, as shown in the example below, continue the Audit process with the next step: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"LoginProfile": {
		"PasswordResetRequired": false,
		"UserName": "tm-project-admin",
		"MFABindRequired": false,
		"CreateDate": "2024-01-18T11:10:03Z"
	}
}

05 Run GetUserMFAInfo command (OSX/Linux/UNIX) with the name of the RAM user that you want to examine as the identifier parameter, to describe the Multi-Factor Authentication (MFA) feature settings configured for the selected user: 

aliyun ram GetUserMFAInfo 
  --UserName tm-project-admin

06 The command output should return the MFA device configuration information available for the selected user or an error message if there is no MFA device configured for the RAM user: 

ERROR: SDK.ServerError
ErrorCode: EntityNotExist.User.MFADevice
Recommend: https://api.aliyun.com/troubleshoot?q=EntityNotExist.User.MFADevice&product=Ram&requestId=ABCDABCD-1234-ABCD-1234-ABCD1234ABCD
RequestId: ABCDABCD-1234-ABCD-1234-ABCD1234ABCD
Message: User not bind

If the GetUserMFAInfo command output returns the following error: EntityNotExist.User.MFADevice, as shown in the example above, the selected RAM user is not MFA-protected, therefore the user authentication process is not following Resource Access Management (RAM) security best practices.

07 Repeat steps no. 3 – 6 for each RAM user available within your Alibaba Cloud account.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) protection for your Resource Access Management (RAM) users, perform the following operations:

As an example, to demonstrate the procedure, the Remediation section employ Google Authenticator, an extensively adopted virtual MFA device that conforms to the Time-Based One-Time Cipher Algorithm (TOTP).

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left avigation panel, under Identities, choose Users.

04 Click on the name (link) of the RAM user that you want to configure, listed in the User Logon Name/Display Name column.

05 Select the Authentication tab to access the authentication configuration information available for the selected user.

06 In the Console Logon Management section, choose Modify Logon Settings to change the user logon settings.

07 Ensure that Console Password Logon is set to Enabled, set Enable MFA to Required, and choose OK to apply the configuration changes.

08 Install Google Authenticator. This KB guide assumes that you have already installed Google Authenticator on your mobile device, otherwise follow the official Google documentation to install the application.

09 Go back to the Console Logon Management section, select the Virtual MFA Device tab, and choose Enable Virtual MFA Device to initiate the MFA setup process.

10 On the MFA device setup page, perform the following actions:

  1. Select the QR Code tab and scan the QR code using the Google Authenticator application.
  2. In the Bind Virtual MFA Device section, enter the authentication passcode generated by Google Authenticator in the Security Code box and choose Confirm bind to complete the MFA device setup process. If successful, Alibaba Cloud console will redirect your request to the RAM service overview page. In the Console Logon Management section, the Device Status is now set to Enabled. The new virtual MFA device will be required during RAM user sign-in.

11 Repeat steps no. 4 – 10 for each Resource Access Management (RAM) user that you want to protect using Multi-Factor Authentication (MFA).

Using Alibaba Cloud CLI

01 Run CreateVirtualMFADevice command (OSX/Linux/UNIX) to create a new virtual Multi-Factor Authentication (MFA) device for your RAM users: 

aliyun ram CreateVirtualMFADevice 
  --VirtualMFADeviceName tm-virtual-mfa-device

02 The command output should return the MFA device configuration information: 

{
	"VirtualMFADevice": {
		"SerialNumber": "acs:ram::1234567890123456:mfa/tm-virtual-mfa-device",
		"QRCodePNG": "ABCD1234ABCD1234ABCD1234ABCD",
		"Base32StringSeed": "ABCD1234ABCD1234ABCD1234ABCDABCD1234ABCD1234ABCD1234ABCDABCD1234"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Open Google Authenticator, choose the Add button, select Enter a setup key, and paste the key of the virtual MFA device created at the previous step (i.e. "Base32StringSeed" attribute value) into the Key box. Provide an account name in the Account box and choose Add to add your virtual MFA device to Google Authenticator app.

04 Run BindMFADevice command (OSX/Linux/UNIX) to bind the Multi-Factor Authentication (MFA) device created at the previous steps to your RAM user. --AuthenticationCode1 and --AuthenticationCode2 parameter values represent two consecutive passcodes generated by Google Authenticator. The new virtual MFA device will be required during RAM user sign-in. If successful, BindMFADevice should return the ID of the command request: 

aliyun ram BindMFADevice 
  --UserName "tm-project-admin" 
  --SerialNumber "acs:ram::1234567890123456:mfa/tm-virtual-mfa-device" 
  --AuthenticationCode1 "123456" 
  --AuthenticationCode2 "654321"

05 The command output should return the ID of the request: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

06 Repeat steps no. 1 – 5 for each Resource Access Management (RAM) user that you want to protect using Multi-Factor Authentication (MFA).

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules