NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

MFA for IAM users with Console Sign-in

Ensure that all users with AWS Console access have Multi-Factor Authentication (MFA) enabled in order to secure your AWS environment and adhere to IAM security best practices.

This rule can help you with the following compliance standards:

This rule can also help you work with the AWS Well-Architected Framework

Having MFA-protected IAM users is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA generated passcode.

Audit

To determine if your IAM users are MFA-protected, perform the following:

1.  Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3.In the left navigation panel, select Users.

4. Click on the IAM user name that you want to examine.

5.  On the IAM user configuration page, select Security Credentials tab.

6.  Inside the Sign-In Credentials section, check the Console password and Multi-Factor Authentication Device status. If the Console password feature status is set to Yes and Multi-Factor Authentication Device is set to No, the selected IAM user authentication process is not MFA-protected and is not following AWS IAM security best practices.

 7.  Repeat steps no. 4 – 6 for each IAM user that you want to examine available in your AWS account.

1.Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account:

aws iam list-users \\
--query 'Users[*].UserName'

2. The command output should return an array that contains all your IAM user names:

[
    "braulio",
    "carlos",
		...
    "shan",
    "tsdb.engineering.tshell"
]

3. Run get-login-profile command (OSX/Linux/UNIX) to check if AWS Console access is enabled for the selected IAM user

aws iam get-login-profile \\
--user-name carlos

4. The command output should return an object that contains the Login Profile for the selected IAM user:

{
    "LoginProfile": {
        "UserName": "carlos",
        "CreateDate": "2020-08-10T20:09:14+00:00",
        "PasswordResetRequired": false
    }
}

5.  Run list-mfa-devices command (OSX/Linux/UNIX) to list the MFA devices (if any) for the selected IAM user:

aws iam list-mfa-devices \\
--user-name carlos

6. The command output should return an array that contains all the MFA devices assigned to the specified IAM user:

{
    "MFADevices": []
}

If the MFADevices array returned for you is empty, i.e. [ ], the selected IAM user authentication process is not MFA-protected.

7. Repeat steps no. 1 – 5 for each IAM user that you want to examine within your AWS account.

Remediation / Resolution

To enable MFA access protection for your IAM users, perform the following:

As example, this guide will use Google Authenticator as MFA device since this is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit http://aws.amazon.com/iam/details/mfa/

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, select Users.

4. Click on the IAM user name that you want to update.

5. On the IAM user configuration page, select Security Credentials tab.

6. Inside the Sign-In Credentials section, click the Manage MFA Device button next to Multi-Factor Authentication Device to initiate the MFA device setup process.

7. In the Manage MFA Device dialog box, select A virtual MFA device and click Next Step.

8. Now install the AWS MFA-compatible application. The MFA application used in this example is Google Authenticator. This guide assumes that you have already the application installed on your smartphone at this point, otherwise just follow these simple steps: https://support.google.com/accounts/answer/1066447?hl=en. Once the application is installed, click Next.

9. Scan the QR code using the Google Authenticator application and enter two consecutive authentication codes in the Authentication Code 1 and Authentication Code 2 text boxes, then click Activate Virtual MFA to complete the setup process. If successful, the following message will be displayed:

“The MFA device was successfully associated.”.

Click Finish to exit the setup wizard. The new MFA virtual device ARN should be listed inside the Multi-Factor Authentication Device section:

10. Repeat steps no. 4 – 9 for all AWS IAM users available in your AWS account.

1. Run create-virtual-mfa-device command (OSX/Linux/UNIX) to create a new virtual MFA device within your AWS account:

aws iam create-virtual-mfa-device
	--virtual-mfa-device-name CarlosMFADevice
	--outfile /root/QRCode.png --bootstrap-method QRCodePNG

 
2. The command output should return the new virtual MFA device Amazon Resource Name (ARN):

{
    "VirtualMFADevice": {
        "SerialNumber": "arn:aws:iam::695292474035:mfa/CarlosMFADevice"
    }
}

 
3. Run enable-mfa-device command (OSX/Linux/UNIX) to activate the specified MFA virtual device (in this case Google Authenticator) and associate it with the selected IAM user. The highlighted values represent two consecutive MFA device passcodes. The enable-mfa-device command is not returning an output:

aws iam enable-mfa-device \\
--user-name carlos \\
--serial-number arn:aws:iam::695292474035:mfa/CarlosMFADevice \\
--authentication-code-1 258334 \\
--authentication-code-2 335422 \\

 
4. Finally, run list-mfa-devices command (OSX/Linux/UNIX) to determine if the new MFA device has been successfully installed for the selected IAM user:

aws iam list-mfa-devices \\
--user-name carlos

 
5. If successful, the command output should return the MFA device metadata (ARN, instantiation date, etc ):

{
    "MFADevices": [
        {
            "UserName": "carlos",
            "SerialNumber": "arn:aws:iam::695292474035:mfa/carlos",
            "EnableDate": "2020-08-18T23:50:37+00:00"
        }
    ]
}

 
6. Repeat steps no. 1 – 5 for all AWS IAM users within your AWS account.
 

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.