Open menu
-->

Enable MFA for AWS Root Account

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that Multi-Factor Authentication (MFA) is enabled for your root account in order to secure your AWS environment and adhere to IAM security best practices.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Having an MFA-protected root account is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the MFA generated passcode.

Audit

To determine if your AWS root account is MFA-protected, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using your root credentials.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:

Security Credentials Menu

03 On Your Security Credentials page, click on the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management section.

04 Inside the MFA management section, check for any enabled MFA devices e.g.

no MFA devices listed

If there are no MFA devices listed and the Activate MFA button is displayed, your root account is not MFA-protected and the authentication process is not following AWS IAM security best practices.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a document that lists all the AWS users (root and IAM users) and the current status of their credentials:

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme:

{
    "Content": "dXNlcixh4sdXNlcl9cmVhdGl ... 4vQSxmYWxzZ0sZmFsc2UsTi9B",
    "GeneratedTime": "2016-05-20T16:43:08Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named credentials-report.csv:

echo -n dXNlcixh4sdXNlcl9cmVhdGl ... 4vQSxmYWxzZ0sZmFsc2UsTi9B | base64 –d
>> credentials-report.csv

04 Open credentials-report.csv in your favorite CSV file editor and check the value in the mfa_active column for the AWS root account. If the values set for mfa_active parameter is FALSE, i.e.

If the values set for mfa_active parameter is FALSE

your AWS root account is not MFA-protected.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine via CLI.

Remediation / Resolution

To enable MFA access protection for your AWS root account, perform the following:

Note 1: As example, this guide will use Google Authenticator as MFA device since is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit http://aws.amazon.com/iam/details/mfa/
To enable MFA access protection for your AWS root account, perform the following:
Note 2: Installing and activating an MFA device for the AWS root account via Command Line Interface (CLI) is not currently supported.

Using AWS CLI

01 Sign in to the AWS Management Console using your root credentials.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:

Security Credentials Menu

03 On Your Security Credentials page, click on the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management section.

04

In the MFA management section click the Activate MFA button to initiate the MFA device setup.

05 In the Manage MFA Device dialog box, select A virtual MFA device and click Next Step.

06 Now install the AWS MFA-compatible application. The MFA application used in this example is Google Authenticator. This guide assumes that you have already the application installed on your smartphone at this point, otherwise just follow these simple steps: https://goo.gl/cvl2Y. Once the application is installed, click Next Step.

07 can the QR code using the Google Authenticator application and enter two consecutive authentication passcodes in the Authentication Code 1 and Authentication Code 2 boxes, then click Activate Virtual MFA to complete the MFA device setup process. If successful, the following message will be displayed: “The MFA device was successfully associated.”. Click Finish to exit the setup wizard. The new MFA virtual device should be listed inside the Multi-Factor Authentication (MFA) section:

The new MFA virtual device should be listed inside the Multi-Factor Authentication (MFA) section

08 Repeat steps no. 1 – 7 for each AWS root account that you want to protect using an MFA device.

References

Publication date May 21, 2016