AWS-IAM-Bad-MFA-Policy

Severity : Medium

Description: This control checks that IAM policy allowed changes to MFA configuration to IAM users its attached with. AWS Policy allows IAM users to self manage MFA. The policy can grant permission to update the MFA programmatically as well. If IAM user credentials are compromised, it will allow attacker to remove MFA from themselves, or remove the existing MFA device and add their own. It is advised that this policy should be updated to not allow deleting or adding MFA and MFA devices.

Remediation Steps:

Perform following to update custom managed IAM policy :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In navigation , choose Policies.

4. Select reported user managed policy from the list.

5. Select Edit Policy, in JSON editor. Edit policy to remove actions to CreateVirtualMFADevice, EnableMFADevice, DeactivateMFADevice.

6. Select Review Policy.

7. Select Save Policy to save changes.

Important:

Reference:

• AWS: Allows MFA-authenticated IAM users to manage their own MFA device on the Security credentials page - AWS Identity and Access Management

• Edit IAM policies - AWS Identity and Access Management