🛡️ AWS IAM User MFA is not enabled for all users🟢

• Contextual name: 🛡️ User MFA is not enabled for all users🟢
• ID: /ce/ca/aws/iam/mfa-for-all-users
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM User
  • 🔌 AWS IAM User - credReport.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [IAM.19] MFA should be enabled for all IAM users

Description

Open File

Description

Ensure that Multi-Factor Authentication (MFA) is enabled for all IAM users within your account in order to secure your AWS environment and adhere to IAM security best practices.

Rationale

When Multi-Factor Authentication (MFA) is enabled, the user will have to present a minimum of two separate forms of authorization before its access is granted. Having an MFA-protected user account represents an efficient way to safeguard your Oracle Cloud Infrastructure (OCI) resources against malicious actors as attackers would have to compromise at least two different authentication methods in order to gain access, and this reduces significantly the risk of attack.

Impact

AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.

Audit

This policy marks a IAM User as INCOMPLIANT based on the Credential Report's mfa_active attribute. If mfa_active is not true, the IAM User is marked as INCOMPLIANT.

... see more

Remediation

Open File

Remediation

Perform the following to enable MFA:

From Console

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the left pane, select Users.
3. In the User Name list, choose the name of the intended MFA user.
4. Choose the Security Credentials tab, and then choose Manage MFA Device.
5. In the Manage MFA Device wizard, choose Virtual MFA device, and then choose Continue.

IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.

6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC02-BP01 Use strong sign-in mechanisms			5		no data
💼 Cloudaware Framework → 💼 Multi-Factor Authentication (MFA) Implementation			17		no data