AWS-IAM-Administrator-Access-Users-Without-MFA
Severity : High
Description: This control ensures that IAM Administrator access to console access has MFA Set to True. With MFA enabled, when a administrator signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for accounts that have a console password.
Remediation Steps:
Perform following to update IAM user :
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to IAMÂ console.
In the navigation pane, choose Users.
In the User Name list, choose the name of the Administrator MFA user.
Choose the Security credentials tab.
Next to Assigned MFA device, choose the Manage.
In the Manage MFA Device wizard, choose virtual MFA device, and then choose Continue.
Open your virtual MFA app.
Determine whether the MFA app supports QR codes, and then do one of the following:
Use the app to scan the QR code.
In the Manage MFA Device wizard, choose Show secret key, and then type the secret configuration key into your MFA app.
When finished, the virtual MFA device starts generating one-time passwords.
In the Manage MFA Device wizard, in the MFA code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA Code 2 box. Choose Assign MFA.
Important:
Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time
Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.5
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html
Blue Hexagon Proprietary