AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Root Account Should Have MFA
More Info:
Multifactor Authentication is strongly recommended to be enabled for every account with no exceptions in order to secure your AWS environment and adhere to IAM security best practices.
Risk Level
Critical
Address
Security
Compliance Standards
HIPAA, GDPR, CISAWS, CBP, NIST, SOC2, PCIDSS, HITRUST, AWSWAF, NISTCSF
Triage and Remediation
How to Prevent
To prevent the misconfiguration of not having Multi-Factor Authentication (MFA) enabled for the root account in AWS IAM using the AWS Management Console, follow these steps:
-
Sign in to the AWS Management Console:
- Log in to the AWS Management Console using your root account credentials.
-
Navigate to the IAM Dashboard:
- In the AWS Management Console, go to the Services menu and select IAM (Identity and Access Management).
-
Enable MFA for the Root Account:
- In the IAM Dashboard, you will see a section labeled Security Status. Look for the item that says MFA on your root account.
- Click on the Manage MFA button next to this item.
-
Follow the MFA Setup Wizard:
- Follow the on-screen instructions to set up MFA. You will need to choose the type of MFA device (e.g., virtual MFA device, U2F security key, or hardware MFA device) and complete the setup process by scanning a QR code or entering a code provided by your MFA device.
By following these steps, you can ensure that MFA is enabled for your AWS root account, thereby enhancing the security of your AWS environment.
To prevent the misconfiguration where the root account does not have Multi-Factor Authentication (MFA) enabled in AWS IAM using the AWS CLI, follow these steps:
-
Create a Virtual MFA Device: First, create a virtual MFA device for the root account. This will generate a QR code that you can scan with an MFA application (like Google Authenticator).
aws iam create-virtual-mfa-device --virtual-mfa-device-name root-account-mfa --outfile /path/to/qr-code.png -
Enable MFA for the Root Account: After scanning the QR code with your MFA application, you will receive two consecutive MFA codes. Use these codes to enable MFA for the root account.
aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::account-id:mfa/root-account-mfa --authentication-code1 <MFA_CODE_1> --authentication-code2 <MFA_CODE_2> -
Verify MFA Device: To ensure that the MFA device is correctly associated with the root account, you can list the MFA devices for the root account.
aws iam list-mfa-devices --user-name root -
Enforce MFA Usage: Optionally, you can create an IAM policy that enforces the use of MFA for sensitive operations. Attach this policy to the root account or other IAM users as needed.
aws iam create-policy --policy-name EnforceMFA --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }'
By following these steps, you can ensure that the root account in AWS IAM has MFA enabled, thereby enhancing the security of your AWS environment.
To prevent the misconfiguration of not having Multi-Factor Authentication (MFA) enabled for the root account in AWS IAM using Python scripts, you can follow these steps:
-
Install AWS SDK for Python (Boto3): Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven’t already.
pip install boto3 -
Create a Python Script to Check MFA Status: Write a Python script that uses Boto3 to check if MFA is enabled for the root account. This script will help you identify if the root account does not have MFA enabled.
import boto3 def check_root_mfa(): client = boto3.client('iam') response = client.get_account_summary() mfa_devices = client.list_mfa_devices(UserName='root') if response['SummaryMap']['AccountMFAEnabled'] == 1 and len(mfa_devices['MFADevices']) > 0: print("MFA is enabled for the root account.") else: print("MFA is NOT enabled for the root account. Please enable it.") if __name__ == "__main__": check_root_mfa() -
Automate the Script Execution: Schedule the script to run at regular intervals using a task scheduler like cron (Linux) or Task Scheduler (Windows) to ensure continuous monitoring.
For example, to run the script every day at midnight using cron, you can add the following line to your crontab:
0 0 * * * /usr/bin/python3 /path/to/your_script.py -
Notify Administrators: Enhance the script to send notifications (e.g., via email or Slack) if MFA is not enabled. This ensures that administrators are alerted immediately and can take action.
import boto3 import smtplib from email.mime.text import MIMEText def send_notification(message): # Set up the server and login details smtp_server = 'smtp.example.com' smtp_port = 587 smtp_user = '[email protected]' smtp_password = 'your_password' # Create the email content msg = MIMEText(message) msg['Subject'] = 'AWS Root Account MFA Status Alert' msg['From'] = smtp_user msg['To'] = '[email protected]' # Send the email with smtplib.SMTP(smtp_server, smtp_port) as server: server.starttls() server.login(smtp_user, smtp_password) server.sendmail(smtp_user, '[email protected]', msg.as_string()) def check_root_mfa(): client = boto3.client('iam') response = client.get_account_summary() mfa_devices = client.list_mfa_devices(UserName='root') if response['SummaryMap']['AccountMFAEnabled'] == 1 and len(mfa_devices['MFADevices']) > 0: print("MFA is enabled for the root account.") else: message = "MFA is NOT enabled for the root account. Please enable it." print(message) send_notification(message) if __name__ == "__main__": check_root_mfa()
By following these steps, you can proactively prevent the misconfiguration of not having MFA enabled for the root account in AWS IAM using Python scripts.