IAM multi-factor authentication should be enabled for all IAM users that have a console password¶
Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Console Remediation Steps¶
Navigate to IAM.
In the left navigation, select Users.
Add the MFA column if it is not displayed by default.
Select the user who does not have MFA enabled.
Click the Security credentials tab.
In Assigned MFA Device, click Manage.
Enable MFA for the user as described here.
Repeat the above steps until all users have MFA enabled.
CLI Remediation Steps¶
Create the virtual MFA device:
aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa device name> --outfile QRCode.png --bootstrap-method QRCodePNG
Sync the device with the desired MFA authenticator according to the authenticator’s instructions
Generate two authentication codes with the MFA authenticator
Enable the virtual MFA device for a user, providing the two codes:
aws iam enable-mfa-device --user-name <user name> --serial-number <mfa device ARN> --authentication-code-1 <code> --authentication-code-2 <code>