Ensure that all users with AWS Console access have Multi-Factor Authentication (MFA) enabled in order to secure your AWS environment and adhere to IAM security best practices.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Having MFA-protected IAM users is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA generated passcode.
Audit
To determine if your IAM users are MFA-protected, perform the following:
Remediation / Resolution
To enable MFA access protection for your IAM users, perform the following:
Note: As example, this guide will use Google Authenticator as MFA device since is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit http://aws.amazon.com/iam/details/mfa/References
- AWS Documentation
- AWS Identity and Access Management FAQs
- Multi-Factor Authentication
- IAM Best Practices
- Using Multi-Factor Authentication (MFA) in AWS
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-mfa-devices
- create-virtual-mfa-device
- enable-mfa-device
- AWS Blog(s)
- Securing Access to AWS Using MFA--Part 1
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
MFA For IAM Users With Console Password
Risk level: High