Logo of Trend Micro

Hardware MFA for AWS Root Account

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: IAM-042

Ensure that hardware Multi-Factor Authentication (MFA) is enabled for your root account in order to secure the access to your AWS resources and adhere to Amazon security best practices. A hardware MFA is much more efficient than a virtual MFA as it has a minimal attack surface and cannot be hacked unless the malicious user gain physical access to the hardware device.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Having hardware-based MFA protection for your root account is the best way to protect your AWS resources and services against attackers. A hardware MFA device signature adds an extra layer of protection on top of your existing root credentials making your Amazon Web Services root account virtually impossible to penetrate without the MFA generated passcode.

Audit

To determine if your AWS root account is protected with a hardware-based MFA solution, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using your root credentials.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:

Security Credentials

03 On Your Security Credentials page, click on the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management panel.

04 On the MFA management panel, check for any enabled MFA device that has the Device Type attribute set "Hardware MFA". If the MFA device listed here does not have the Device Type set to "Hardware MFA", your AWS root account is not protected using a hardware-based MFA device, therefore does not adhere to AWS security best practices.

05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine.

Using AWS CLI

01 Run list-virtual-mfa-devices command (OSX/Linux/UNIX) using custom query filters to return the ARN of the active virtual MFA device assigned to your AWS root: 

aws iam list-virtual-mfa-devices
    --assignment-status Assigned
    --query 'VirtualMFADevices[*].SerialNumber'

02 The command output should return the Amazon Resource Name (ARN) for the virtual MFA device enabled within your root account: 

[
    "arn:aws:iam::123456789012:mfa/root-account-mfa-device"
]

Since Amazon Web Services allows assigning only one MFA device (virtual or hardware) to their clients root accounts, if the list-virtual-mfa-devices command output returns a valid ARN (e.g. "arn:aws:iam::123456789012:mfa/root-account-mfa-device"), it means the MFA device currently assigned is virtual, not hardware, therefore the selected root account is not protected using a hardware-based MFA device.

03 Repeat step no. 1 and 2 for each AWS root account that you want to examine via CLI.

Remediation / Resolution

To implement strong protection for your AWS root account using a Multi-Factor Authentication (MFA) hardware device, perform the following:

Note: Installing and activating a hardware-based MFA device for the AWS root account via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console using your root credentials.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:

Security Credentials

03 On Your Security Credentials page, click on the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management panel.

04 On the MFA management panel click the Activate MFA button to initiate the MFA device setup process. Note: If a virtual MFA is already set up, 'Activate MFA' button will not be visible. The virtual MFA will have to be deactivated first.

05 Inside the Manage MFA Device dialog box, perform the following actions:

  1. Select A hardware MFA device option then click Next Step.
  2. For Serial Number enter the serial number that is usually found on the back of the hardware device.
  3. For Authentication Code enter the six-digit number generated by the MFA hardware device selected at the previous step. Follow the instructions provided by the device manufacturer to generate the necessary code.
  4. For Authentication Code 2 wait 30 seconds while the device refreshes the generated code, then enter the next six-digit number into the box. Click Next Step to confirm the details and install the MFA device.
  5. Click Finish to return to the AWS IAM dashboard. The MFA hardware device is now assigned to your AWS root account and activated. The next time you use your root account credentials to sign in, you must also provide a code generated by hardware MFA device currently installed.

06 Repeat steps no. 1 – 5 for each AWS root account that you want to protect using a hardware-based MFA device.

References

Publication date May 7, 2017

Related IAM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Hardware MFA for AWS Root Account

Risk level: High