Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Root MFA Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: IAM-014

Ensure that the Multi-Factor Authentication (MFA) feature is enabled for your AWS root account in order to secure your cloud environment and adhere to IAM security best practices.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Having an MFA-protected root account is one of the best ways to protect your AWS cloud resources against attackers. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the unique passcode generated by the MFA device.


Audit

To determine if your AWS root account is MFA-protected, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the Multi-factor authentication (MFA) tab to expand the panel with the MFA configuration settings available for the root account.

04 On the Multi-factor authentication (MFA) panel, check for any MFA devices enabled for the AWS root account. If there are no MFA devices configured and the Amazon IAM console shows the Activate MFA button, your AWS root account is not MFA-protected and the authentication process for the root user is not following Amazon IAM security best practices.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS cloud account. A credential report is a CSV document that lists all the AWS users (root and IAM users) created within your AWS cloud account and the current status of their access credentials:

aws iam get-credential-report

02 The command output should return the requested document in a TEXT/CSV format, encoded with the Base64 encoding scheme, as shown in the example below:

{
  "Content": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
  "ReportFormat": "text/csv",
  "GeneratedTime": "2021-04-16T15:00:00+00:00"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named cc-iam-credentials-report.csv:

echo -n abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd | base64 –d >> cc-iam-credentials-report.csv

04 Open the cc-iam-credentials-report.csv file in a text editor and check the value available in the mfa_active column for the <root_account> user. If the value set for the mfa_active configuration attribute is FALSE, your AWS root account is not MFA-protected and the root authentication process is not following Amazon IAM security best practices.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) protection for your AWS root account, perform the following operations:

Note 1: As an example, this conformity rule will use Google Authenticator as an MFA device since it is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit this page.

Note 2: Installing and activating an MFA device for an AWS root account via AWS Command Line Interface (CLI) is not supported.

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the Multi-factor authentication (MFA) tab to expand the panel with the MFA configuration settings available for the root account.

04

On the Multi-factor authentication (MFA) panel choose Activate MFA to initiate the MFA setup process.

05 In the MFA management section click the Activate MFA button to initiate the MFA device setup.

06 In the Manage MFA device configuration box, select Virtual MFA device from Choose the type of MFA device to assign, then click Continue.

07 Install the MFA-compatible device. The MFA virtual device used in this example is Google Authenticator. This guide assumes that you have already installed the Google Authenticator application on your smartphone, otherwise follow the Google documentation to install the required application.

08 In the Set up virtual MFA device configuration box, perform the following actions:

  1. Click on the Show QR code link under Use your virtual MFA app and your device's camera to scan the QR code.
  2. Scan the QR code using the Google Authenticator application.
  3. Enter two consecutive authentication passcodes in the MFA code 1 and MFA code 2 text fields.
  4. Choose Assign MFA to complete the Multi-Factor Authentication (MFA) setup process. If successful, the following message will be displayed: "You have successfully assigned virtual MFA". Choose Close to return to the Amazon IAM console. The new virtual MFA device will be required during AWS root account sign-in.

09 Repeat steps no. 1 – 8 for each AWS root account that you want to protect using Multi-Factor Authentication (MFA).

References

Publication date May 21, 2016