Ensure that Multi-Factor Authentication (MFA) is enabled for all the IAM users console access within your AWS account in order to secure your AWS cloud environment and adhere to IAM security best practices.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Having MFA-protected IAM users is one of the best ways to protect your AWS services and resources against hacking. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA-generated passcode.
Audit
To determine if your IAM users are MFA-protected, perform the following operations:
Remediation / Resolution
To enable Multi-Factor Authentication (MFA) protection for your Amazon IAM users, perform the following operations:
Note: As an example, this conformity rule will use Google Authenticator as an MFA device since it is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit this page.References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Multi-Factor Authentication
- Security best practices in IAM
- Using Multi-Factor Authentication (MFA) in AWS
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-mfa-devices
- create-virtual-mfa-device
- enable-mfa-device
- AWS Blog(s)
- Securing Access to AWS Using MFA-Part 1