Open menu
-->

Enable MFA for AWS IAM Users

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: High (not acceptable risk)

Ensure that all users with AWS Console access have Multi-Factor Authentication (MFA) enabled in order to secure your AWS environment and adhere to IAM security best practices.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Having MFA-protected IAM users is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA generated passcode.

Audit

To determine if your IAM users are MFA-protected, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Inside the Sign-In Credentials section, check the Console password and Multi-Factor Authentication Device status. If the Console password feature status is set to Yes and Multi-Factor Authentication Device is set to No, the selected IAM user authentication process is not MFA-protected and is not following AWS IAM security best practices.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all your IAM user names:

[
    "John",
    "David",
    ...
    "Mark"
]

03 Run get-login-profile command (OSX/Linux/UNIX) to check if AWS Console access is enabled for the selected IAM user:

aws iam get-login-profile
	--user-name John

04 The command output should return an object that contains the Login Profile for the selected IAM user:

{
    "LoginProfile": {
        "UserName": "John",
        "CreateDate": "2018-09-27T01:11:06Z",
        "PasswordResetRequired": true
    }
}

If a LoginProfile object exists, then you should check if MFA is enabled below.

05 Run list-mfa-devices command (OSX/Linux/UNIX) to list the MFA devices (if any) for the selected IAM user:

aws iam list-mfa-devices
	--user-name John

06 The command output should return an array that contains all the MFA devices assigned to the specified IAM user:

{
    "MFADevices": []
}

If the MFADevices array returned for you is empty, i.e. [ ], the selected IAM user authentication process is not MFA-protected.

07 Repeat steps no. 1 – 5 for each IAM user that you want to examine within your AWS account.

Remediation / Resolution

To enable MFA access protection for your IAM users, perform the following:

Note: As example, this guide will use Google Authenticator as MFA device since is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit http://aws.amazon.com/iam/details/mfa/

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the IAM user name that you want to update.

05 On the IAM user configuration page, select Security Credentials tab.

06 Inside the Sign-In Credentials section, click the Manage MFA Device button next to Multi-Factor Authentication Device to initiate the MFA device setup process.

07 In the Manage MFA Device dialog box, select A virtual MFA device and click Next Step.

08 Now install the AWS MFA-compatible application. The MFA application used in this example is Google Authenticator. This guide assumes that you have already the application installed on your smartphone at this point, otherwise just follow these simple steps: https://support.google.com/accounts/answer/1066447?hl=en. Once the application is installed, click Next Step.

09 Scan the QR code using the Google Authenticator application and enter two consecutive authentication codes in the Authentication Code 1 and Authentication Code 2 boxes, then click Activate Virtual MFA to complete the setup process. If successful, the following message will be displayed: “The MFA device was successfully associated.”. Click Finish to exit the setup wizard. The new MFA virtual device ARN should be listed inside the Multi-Factor Authentication Device section:

The new MFA virtual device ARN should be listed inside the Multi-Factor Authentication Device section

10 Repeat steps no. 4 – 9 for all AWS IAM users available in your AWS account.

Using AWS CLI

01 Run create-virtual-mfa-device command (OSX/Linux/UNIX) to create a new virtual MFA device within your AWS account:

aws iam create-virtual-mfa-device
	--virtual-mfa-device-name JohnsMFADevice
	--outfile /root/QRCode.png --bootstrap-method QRCodePNG

02 The command output should return the new virtual MFA device Amazon Resource Name (ARN):

{
    "VirtualMFADevice": {
        "SerialNumber": "arn:aws:iam::123456789012:mfa/JohnsMFADevice"
    }
}

03 Run enable-mfa-device command (OSX/Linux/UNIX) to activate the specified MFA virtual device (in this case Google Authenticator) and associate it with the selected IAM user. The highlighted values represent two consecutive MFA device passcodes. The enable-mfa-device command is not returning an output:

aws iam enable-mfa-device
	--user-name John
	--serial-number arn:aws:iam::123456789012:mfa/JohnsMFADevice
	--authentication-code-1 256689
	--authentication-code-2 432030

04 Finally, run list-mfa-devices command (OSX/Linux/UNIX) to determine if the new MFA device has been successfully installed for the selected IAM user:

aws iam list-mfa-devices
	--user-name John

05 If successful, the command output should return the MFA device metadata (ARN, instantiation date, etc ):

{
   "MFADevices": [
      {
         "UserName": "John",
         "SerialNumber": "arn:aws:iam::123456789012:mfa/JohnsMFADevice",
         "EnableDate": "2016-05-20T18:51:54Z"
      }
   ]
}

06 Repeat steps no. 1 – 5 for all AWS IAM users within your AWS account.

References

Publication date May 21, 2016