Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Hardware MFA for AWS Root Account

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-042

Ensure that hardware-based Multi-Factor Authentication (MFA) is enabled for your root account in order to secure the access to your AWS cloud resources and adhere to security best practices. A hardware-based MFA device is much more efficient than a virtual MFA device because it has a minimal attack surface and cannot be hacked unless the malicious user gain physical access to the device.

This rule can help you with the following compliance standards:

  • CISAWSF
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Having hardware-based MFA protection for your root account is the best way to protect your AWS cloud services and resources against attackers. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the MFA-generated passcode.


Audit

To determine if your AWS root account is protected with a hardware-based MFA solution, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console using your root account credentials.

02 Click on the AWS account name/number available in the upper-right corner of the Management Console and select Security credentials from the dropdown menu.

03 On My security credentials page for the root user, in the Multi-factor authentication (MFA) section, check for any MFA devices enabled for your AWS root account. If there are no MFA devices installed, your AWS root account is not MFA-protected. If there is one or more MFA devices installed for the root account, check the MFA device type listed in the Device type column. If the Device type is set to Virtual or Security key, your AWS root account is not protected using a hardware-based MFA device.

04 Repeat steps no. 1 – 3 for each AWS cloud root account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS cloud account. A credential report is a CSV document that lists all the AWS users (root and IAM users) created within your AWS cloud account and the current status of their access credentials:

aws iam get-credential-report

02 The command output should return the requested document in a TEXT/CSV format, encoded with the Base64 encoding scheme, as shown in the example below:

{
	"Content": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
	"ReportFormat": "text/csv",
	"GeneratedTime": "2023-11-14T18:00:00+00:00"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named iam-credentials-report.csv:

echo "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd" | base64 --decode > iam-credentials-report.csv

04 Open the iam-credentials-report.csv file in your favorite CSV editor and check the value available in the mfa_active column for the <root_account> user. If the value set for the mfa_active configuration attribute is FALSE, your AWS root account is not MFA-protected and the Audit process ends here. If the mfa_active attribute value is set to TRUE, your AWS root account is MFA-protected and you can continue the Audit process with the next step.

05 Run list-virtual-mfa-devices command (OSX/Linux/UNIX) using custom query filters to return the Amazon Resource Name (ARN) of the IAM user associated with the virtual MFA device assigned to your AWS account:

aws iam list-virtual-mfa-devices
  --assignment-status Assigned
  --query 'VirtualMFADevices[*].User.Arn'

06 The command output should return the Amazon Resource Name (ARN) for the associated IAM user:

[
	"arn:aws:iam::123456789012:root"
]

If the ARN of the associated IAM user returned by the list-virtual-mfa-devices command output is "arn:aws:iam::[aws-account-id]:root", where [aws-account-id] represents the ID number of your AWS cloud account, your AWS root account is not using a hardware-based MFA device for MFA protection.

07 Repeat steps no. 1 – 6 for each AWS cloud root account that you want to examine.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) protection for your AWS root account using a hardware-based MFA device, perform the following operations:

This guide demonstrates how to enable Multi-Factor Authentication for AWS root accounts using a hardware time-based one-time password (TOTP) token. A hardware TOTP token generates a 6-digit numeric code based upon a TOTP algorithm.
Installing and activating a hardware-based MFA device (i.e. TOTP token) for an AWS root account via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console using your root account credentials.

02 Click on the AWS account name/number available in the upper-right corner of the Management Console and select Security credentials from the dropdown menu.

03 On My security credentials page for the root user, in the Multi-factor authentication (MFA) section, choose Assign MFA device to initiate the MFA device setup process.

04 For Step 1 Assign MFA device, provide a meaningful name, to identify the MFA device, in the Device name box, choose Hardware TOTP token option from the MFA device list, and select Next to continue the setup process.

05 For Step 2 Set up device, perform the following actions:

  1. For Enter the device serial number located on the back of the device. enter the serial number that is usually found on the back of the MFA hardware device.
  2. For Press the button on the front of the device and enter the 6-digit number that appears., enter the six-digit number generated by the MFA hardware device selected at the previous step into the MFA Code 1 box. Follow the instructions provided by the device manufacturer to generate the necessary code.
  3. For Wait 30 seconds and then press the button again. Enter the second number., wait 30 seconds while the device refreshes the generated code, then enter the next six-digit number into the MFA Code 2 box.
  4. Choose Add MFA to complete the setup process. The MFA hardware device is now associated with your AWS cloud account. The new hardware-based MFA device will be required during AWS root account sign-in.Submit your request right after generating the authentication codes. If you generate the codes and delay submitting the request, the MFA device will successfully associate with the user initially, but it may become out of sync. This occurs due to the expiration of TOTP passwords after a short period. In such a case, you may need to resynchronize the device.

06 The new hardware-based MFA device will be required during each root account sign-in. The next time you use your AWS root account credentials to sign in, you must provide a passcode from the associated MFA device.

07 Repeat steps no. 1 – 6 for each AWS cloud root account that you want to protect using a hardware-based MFA device.

References

Publication date May 7, 2017