AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Root Account Should Have MFA and External ID Set
More Info:
This rule identifies IAM roles that do not require multi-factor authentication (MFA) or external ID for assumed roles. Roles without MFA or external ID can pose security risks, as they may allow unauthorized access or increase the attack surface for potential breaches. Enforcing MFA and external ID requirements adds an additional layer of security to IAM roles and helps prevent unauthorized access.
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration in AWS IAM where the root account should have MFA and External ID set, follow these steps using the AWS Management Console:
-
Enable Multi-Factor Authentication (MFA) for the Root Account:
- Log in to the AWS Management Console using the root account credentials.
- Navigate to the IAM service.
- In the navigation pane, click on “Users”.
- Click on the root account username.
- In the “Security credentials” tab, locate the “Assigned MFA device” section and click on “Manage”.
- Follow the prompts to set up MFA for the root account. You can choose to use a virtual MFA device or a hardware MFA device.
- Once MFA is enabled, make sure to complete the MFA setup process.
-
Set an External ID for the Root Account:
- While still in the IAM Management Console, click on the root account username.
- In the “Permissions” tab, click on the “Add inline policy” button.
- Select the JSON tab to provide a custom policy.
- Enter a policy document similar to the following, replacing
YOUR_EXTERNAL_IDwith your desired external ID:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] }- Click on Review policy, provide a name for the policy, and click on “Create policy”.
-
Test the External ID:
- To test the External ID, you can try to assume a role that requires the External ID. If the External ID is set correctly, the assumption of the role should succeed.
By following these steps, you will have successfully remediated the misconfiguration in AWS IAM where the root account should have MFA and an External ID set.
To remediate the misconfiguration of the root account not having MFA and External ID set in AWS IAM using AWS CLI, follow these steps:
-
Enable MFA for Root Account:
- Run the following AWS CLI command to enable MFA for the root account:
Replace
aws iam enable-mfa-device --user-name <root_account_username> --serial-number arn:aws:iam::<account_id>:mfa/root-account-mfa<root_account_username>with the root account’s username and<account_id>with your AWS account ID.
- Run the following AWS CLI command to enable MFA for the root account:
-
Set External ID for Root Account:
- Generate a random external ID using a tool like
openssl:openssl rand -hex 32 - Copy the generated External ID.
- Generate a random external ID using a tool like
-
Attach the Policy to the Root Account:
- Run the following AWS CLI command to attach the
IAMFullAccesspolicy to the root account with the External ID:Replaceaws iam attach-user-policy --user-name <root_account_username> --policy-arn arn:aws:iam::aws:policy/IAMFullAccess --policy-inputs '{"ExternalId":"<generated_external_id>"}'<root_account_username>with the root account’s username and<generated_external_id>with the External ID you generated in step 2.
- Run the following AWS CLI command to attach the
-
Verify Configuration:
- To verify that MFA and External ID are set for the root account, run the following AWS CLI commands:
- Check MFA status:
aws iam list-mfa-devices --user-name <root_account_username> - Check attached policies with External ID:
aws iam list-attached-user-policies --user-name <root_account_username>
- Check MFA status:
- To verify that MFA and External ID are set for the root account, run the following AWS CLI commands:
By following these steps, you can remediate the misconfiguration of the root account not having MFA and External ID set in AWS IAM using AWS CLI.
To remediate the misconfiguration in AWS IAM where the root account should have MFA and External ID set, you can use the AWS SDK for Python (Boto3) to automate the process. Here are the step-by-step instructions to remediate this issue:
-
Install Boto3: If you haven’t installed Boto3 yet, you can install it using pip:
pip install boto3 -
Create a Python script: Create a Python script (e.g.,
remediate_root_account_mfa.py) and import the necessary libraries:import boto3 -
Enable MFA for the root account: You can use the following code snippet to enable MFA for the root account:
iam_client = boto3.client('iam') iam_client.enable_mfa_device(UserName='root', SerialNumber='arn:aws:iam::aws:policy/IAMUser') -
Set External ID for the root account: You can use the following code snippet to set an External ID for the root account:
account_id = boto3.client('sts').get_caller_identity().get('Account') external_id = 'your_external_id_here' iam_client.create_account_alias(AccountAlias=external_id) -
Run the Python script: Execute the Python script using the command:
python remediate_root_account_mfa.py
By following these steps, you can remediate the misconfiguration in AWS IAM where the root account should have MFA and External ID set using Python and Boto3.