IAM multi-factor authentication should be enabled for all IAM users that have a console password


Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Users.

  • Add the MFA column if it is not displayed by default.

  • Select the user who does not have MFA enabled.

  • Click the Security credentials tab.

  • In Assigned MFA Device, click Manage.

  • Enable MFA for the user as described here.

  • Repeat the above steps until all users have MFA enabled.

CLI Remediation Steps

  • Create the virtual MFA device:

    • aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa device name> --outfile QRCode.png --bootstrap-method QRCodePNG

  • Sync the device with the desired MFA authenticator according to the authenticator’s instructions

  • Generate two authentication codes with the MFA authenticator

  • Enable the virtual MFA device for a user, providing the two codes:

    • aws iam enable-mfa-device --user-name <user name> --serial-number <mfa device ARN> --authentication-code-1 <code> --authentication-code-2 <code>