Description

Ensure that Multi-Factor Authentication (MFA) is enabled for all IAM users within your account in order to secure your AWS environment and adhere to IAM security best practices.

Rationale

When Multi-Factor Authentication (MFA) is enabled, the user will have to present a minimum of two separate forms of authorization before its access is granted. Having an MFA-protected user account represents an efficient way to safeguard your Oracle Cloud Infrastructure (OCI) resources against malicious actors as attackers would have to compromise at least two different authentication methods in order to gain access, and this reduces significantly the risk of attack.

Impact

AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.

Audit

This policy marks a IAM User as INCOMPLIANT based on the Credential Report's mfa_active attribute. If mfa_active is not true, the IAM User is marked as INCOMPLIANT.

A status of UNDETERMINED may indicate a permissions issue with the iam:GetCredentialReport API call.

Rationale​

Impact​

Audit​

Rationale

Impact

Audit