Ensure that all users with AWS Console access have Multi-Factor Authentication (MFA) enabled in order to secure your AWS environment and adhere to IAM security best practices.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Having MFA-protected IAM users is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA generated passcode.
To determine if your IAM users are MFA-protected, perform the following:
To enable MFA access protection for your IAM users, perform the following:Note: As example, this guide will use Google Authenticator as MFA device since is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit http://aws.amazon.com/iam/details/mfa/