Severity: High
Description: This control ensures that IAM Users having console password enabled has MFA Set to True. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.
Remediation Steps:
Perform following to update IAM user :
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to IAM console.
In the navigation pane, choose Users.
In the User Name list, choose the name of the intended MFA user.
Choose the Security credentials tab.
Next to Assigned MFA device, choose the edit icon.
In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.
Open your virtual MFA app.
Determine whether the MFA app supports QR codes, and then do one of the following:
Use the app to scan the QR code.
In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA app.
When finished, the virtual MFA device starts generating one-time passwords.
In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.
Important:
Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time
Reference:
CIS reference: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.10