Ensure that hardware-based Multi-Factor Authentication (MFA) is enabled for your root account in order to secure the access to your AWS cloud resources and adhere to security best practices. A hardware-based MFA device is much more efficient than a virtual MFA device because it has a minimal attack surface and cannot be hacked unless the malicious user gain physical access to the device.
This rule can help you with the following compliance standards:
- CISAWSF
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Having hardware-based MFA protection for your root account is the best way to protect your AWS cloud services and resources against attackers. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the MFA-generated passcode.
Audit
To determine if your AWS root account is protected with a hardware-based MFA solution, perform the following operations:
Remediation / Resolution
To enable Multi-Factor Authentication (MFA) protection for your AWS root account using a hardware-based MFA device, perform the following operations:
This guide demonstrates how to enable Multi-Factor Authentication for AWS root accounts using a hardware time-based one-time password (TOTP) token. A hardware TOTP token generates a 6-digit numeric code based upon a TOTP algorithm.Installing and activating a hardware-based MFA device (i.e. TOTP token) for an AWS root account via AWS Command Line Interface (CLI) is not currently supported.
References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Multi-Factor Authentication (MFA) for IAM
- Security best practices in IAM
- Using multi-factor authentication (MFA) in AWS
- Enabling a hardware TOTP token (console)
- Resynchronizing virtual and hardware MFA devices
- AWS Command Line Interface (CLI) Documentation
- get-credential-report
- list-virtual-mfa-devices