Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable MFA for IAM Users with Console Password

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-013

Ensure that Multi-Factor Authentication (MFA) is enabled for all the IAM users console access within your AWS account in order to secure your AWS cloud environment and adhere to IAM security best practices.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Having MFA-protected IAM users is one of the best ways to protect your AWS services and resources against hacking. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA-generated passcode.


Audit

To determine if your IAM users are MFA-protected, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the Amazon IAM user that you want to examine.

05 Select the Security credentials tab to access the configuration information available for the IAM user credentials.

06 In the Sign-in credentials section, check the Assigned MFA device attribute value. If the attribute value is set to Not assigned, the selected IAM user is not MFA-protected, therefore the user authentication process is not following Amazon IAM security best practices.

07 Repeat steps no. 4 – 6 for each IAM user available within the selected AWS cloud region.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all the IAM users available within your AWS account:

aws iam list-users
  --output table
  --query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

------------------------
|      ListUsers       |
+----------------------+
|  cc-project5-admin   |
|  cc-s3-data-manager  |
+----------------------+

03 Run list-mfa-devices command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to describe the MFA device(s) configured for the selected IAM user:

aws iam list-mfa-devices
  --user-name cc-project5-admin
  --query 'MFADevices'

04 The command output should return the MFA device(s) assigned to the specified IAM user:

[]

If the list-mfa-devices command output returns an empty array (i.e. []), as shown in the example above, the selected IAM user is not MFA-protected, therefore the user authentication process is not following Amazon IAM security best practices.

05 Repeat steps no. 1 – 4 for each IAM user available in the selected AWS cloud region.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) protection for your Amazon IAM users, perform the following operations:

Note: As an example, this conformity rule will use Google Authenticator as an MFA device since it is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit this page.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the Amazon IAM user that you want to reconfigure.

05 Select the Security credentials tab to access the configuration information available for the IAM user credentials.

06 In the Sign-in credentials section, click on the Manage link available next to Assigned MFA device to initiate the MFA device setup process.

07 Inside the Sign-In Credentials section, click the Manage MFA Device button next to Multi-Factor Authentication Device to initiate the MFA device setup process.

08 On the Multi-factor authentication (MFA) panel choose Activate MFA to initiate the MFA setup.

09 In the Manage MFA device configuration box, select Virtual MFA device from Choose the type of MFA device to assign, then click Continue.

10 Install the MFA-compatible device. The MFA virtual device used in this example is Google Authenticator. This guide assumes that you have already installed the Google Authenticator application on your smartphone, otherwise follow the official Google documentation to install the required application.

11 In the Set up virtual MFA device configuration box, perform the following actions:

  1. Click on the Show QR code link under Use your virtual MFA app and your device's camera to scan the QR code.
  2. Scan the QR code using the Google Authenticator application.
  3. Enter two consecutive authentication passcodes in the MFA code 1 and MFA code 2 text fields.
  4. Choose Assign MFA to complete the Multi-Factor Authentication (MFA) setup process. If successful, the following message will be displayed: "You have successfully assigned virtual MFA". Choose Close to return to the Amazon IAM console. The new virtual MFA device will be required during IAM user sign-in.

12 Repeat steps no. 4 – 11 for each Amazon IAM user that you want to protect using Multi-Factor Authentication (MFA).

Using AWS CLI

01 Run create-virtual-mfa-device command (OSX/Linux/UNIX) to create a new virtual Multi-Factor Authentication (MFA) device within your AWS cloud account:

aws iam create-virtual-mfa-device
  --virtual-mfa-device-name cc-virtual-mfa-device
  --outfile file://cc-qr-code.txt
  --bootstrap-method Base32StringSeed
  --query 'VirtualMFADevice'

02 The command output should return the Amazon Resource Name (ARN) of the new MFA device:

{
  "SerialNumber": "arn:aws:iam::123456789012:mfa/cc-virtual-mfa-device"
}

03 Run enable-mfa-device command (OSX/Linux/UNIX) to activate the new MFA virtual device created at the previous steps and associate it with the selected Amazon IAM user. The highlighted values represent two consecutive passcodes generated by the MFA device (in this case Google Authenticator). The new virtual MFA device will be required during IAM user sign-in. If successful, the enable-mfa-device command does not produce an output:

aws iam enable-mfa-device
  --user-name cc-project5-admin
  --serial-number arn:aws:iam::123456789012:mfa/cc-virtual-mfa-device
  --authentication-code-1 123456
  --authentication-code-2 654321

04 Repeat steps no. 1 – 3 for each Amazon IAM user that you want to protect using Multi-Factor Authentication (MFA).

References

Publication date May 21, 2016