Ensure that the Multi-Factor Authentication (MFA) feature is enabled for your AWS root account in order to secure your cloud environment and adhere to IAM security best practices.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Having an MFA-protected root account is one of the best ways to protect your AWS cloud resources against attackers. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the unique passcode generated by the MFA device.
Audit
To determine if your AWS root account is MFA-protected, perform the following operations:
Remediation / Resolution
To enable Multi-Factor Authentication (MFA) protection for your AWS root account, perform the following operations:
Note 1: As an example, this conformity rule will use Google Authenticator as an MFA device since it is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit this page.Note 2: Installing and activating an MFA device for an AWS root account via AWS Command Line Interface (CLI) is not supported.
References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Multi-Factor Authentication
- Security best practices in IAM
- Using Multi-Factor Authentication (MFA) in AWS
- Enabling and managing virtual MFA devices (AWS CLI or AWS API)
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report
- Google Authenticator
- Google Authenticator