AWS-IAM-MFA-Disabled

Severity : Medium

Description: This control check if users with administrative privilege have hardware MFA devices enabled. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their MFA device. AWS security best practice require all highly privileged users to sign in with MFA.

Remediation Steps:

To configure and enable a hardware MFA for user:

1. Sign in to AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM service.

3. In navigation, choose user name, and then choose  Security Credentials.

4. On the AWS IAM credentials, under Multi-factor authentication, choose Manage MFA device.

5. In  Manage MFA device wizard, choose Hardware MFA device and then choose Continue.

6. Type the device serial number.

7. In the MFA code 1 box, type the six-digit number displayed by the MFA device.

8. Wait 30 seconds to refreshes the code,  type the next six-digit number into the MFA code 2.

9. Choose Assign MFA.

Important:

• Changes in account credentials may take up to 4 hours to get reflected in the AWS IAM evaluations

Reference:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html