Ensure MFA is enabled for all IAM users with a console password

Error: MFA is not enabled for all IAM users with a console password

Bridgecrew Policy ID: BC_AWS_IAM_2
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

MFA is not enabled for all IAM users with a console password

Description

Multi-Factor Authentication (MFA) provides increased security to a user name and password. Users must possess a registered device that emits a time-sensitive key and have knowledge of a credential to authenticate successfully. When a user with MFA enabled signs in to an AWS website, they will be prompted for their user name, password and an authentication code from their AWS MFA device.

We recommend enabling MFA for all IAM users that have accounts with a console password.

Example
The AWS Support Center provides technical support, customer services, and is used for incident notification and response. You should create a dedicated IAM account role to allow authorized users to manage incidents and communicate with the AWS Support Center. This role should have MFA enabled.

Fix - Runtime

AWS Console

To enable MFA using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, select Users.
  3. In the User Name list, select the name of the user to add.
  4. Select the Security Credentials tab, then choose Manage MFA Device.
  5. In the Manage MFA Device wizard select A virtual MFA device, then select Next Step.

📘

Note

IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.

  1. Open your virtual MFA application.
  • See Virtual MFA Applications for a list of apps that you can use for hosting virtual MFA devices.
  • If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), select the option to create a new account (a new virtual MFA device).
  1. Use your MFA device to either scan the QR code or manually configure the key. The virtual MFA device will start generating one-time passwords.
  2. In the Manage MFA Device wizard:
  • In Authentication Code 1 field type the one-time password from the virtual MFA device.
  • Wait up to 30 seconds for the device to generate a new one-time password.
  • In Authentication Code 2 field type the second one-time password.
  • Select Active Virtual MFA.

📘

Forced IAM User Self-Service

Remediation Amazon has published a pattern that forces users to self-service setup MFA. Until this step is successfully complete users cannot access services. This pattern can be used on new and existing AWS accounts.
We recommend users with existing AWS accounts are given instructions and a grace period to complete setup MFA on their account prior to active enforcement.

CLI Command

Following through on example of IAM role to access AWS Support Center, reference using the Amazon unified command line interface.

Create an IAM role for managing incidents with AWS:

Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json.

{
"Version": "2012-10-17", "Statement": [
{

"Effect": "Allow",

"Principal": {

"AWS": "<span style="font-style: italic;"><iam_user></span>"},
  "Action": "sts:AssumeRole" } ] }

To create the IAM role using the above trust policy, use the following command:

aws iam create-role 
--role-name <aws_support_iam_role> 
--assume-role- policy-document file:///tmp/TrustPolicy.json

To attach AWSSupportAccess managed policy to the created IAM role, use the following command:

aws iam attach-role-policy 
--policy-arn <iam_policy_arn> 
--role-name <aws_support_iam_role>