AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
MFA Should Be Enabled On User Accounts
More Info:
MFA must be enabled on user accounts. AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources.
Risk Level
Critical
Address
Security
Compliance Standards
HIPAA, PCIDSS, GDPR, CISAWS, CBP, NIST, SOC2, ISO27001, AWSWAF
Triage and Remediation
How to Prevent
To prevent the misconfiguration of not having Multi-Factor Authentication (MFA) enabled on user accounts in AWS Identity and Access Management (IAM) using the AWS Management Console, follow these steps:
-
Navigate to IAM Dashboard:
- Sign in to the AWS Management Console.
- In the top navigation bar, select “Services” and then choose “IAM” under the “Security, Identity, & Compliance” section.
-
Select Users:
- In the IAM dashboard, click on “Users” in the left-hand navigation pane.
- This will display a list of all IAM users in your AWS account.
-
Enable MFA for Each User:
- Click on the username of the user for whom you want to enable MFA.
- In the user details page, select the “Security credentials” tab.
- Under the “Multi-factor authentication (MFA)” section, click on the “Manage” button.
- Follow the on-screen instructions to assign and activate an MFA device for the user. This typically involves scanning a QR code with an MFA app (like Google Authenticator) and entering the generated code to verify.
-
Enforce MFA Policy:
- To ensure that all users have MFA enabled, you can create an IAM policy that requires MFA for specific actions.
- Go to the “Policies” section in the IAM dashboard.
- Click on “Create policy” and use the JSON editor to define a policy that requires MFA. For example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] } - Attach this policy to all IAM users or groups to enforce MFA.
By following these steps, you can ensure that MFA is enabled for all IAM user accounts, thereby enhancing the security of your AWS environment.
To prevent the misconfiguration of not having Multi-Factor Authentication (MFA) enabled on user accounts in AWS IAM using the AWS CLI, follow these steps:
-
Create an MFA Device for the User: First, you need to create an MFA device for the user. This can be a virtual MFA device or a hardware MFA device. Here, we’ll use a virtual MFA device.
aws iam create-virtual-mfa-device --virtual-mfa-device-name <VirtualMFADeviceName> --outfile /path/to/qr-code.pngThis command will create a virtual MFA device and output a QR code that can be scanned by an MFA application (like Google Authenticator).
-
Enable MFA for the User: Once the virtual MFA device is created, you need to enable it for the user by associating it with the user account. You will need two consecutive MFA codes from the MFA device.
aws iam enable-mfa-device --user-name <UserName> --serial-number arn:aws:iam::<AccountID>:mfa/<VirtualMFADeviceName> --authentication-code1 <MFA_Code1> --authentication-code2 <MFA_Code2> -
Update User’s Login Profile to Require MFA: Ensure that the user’s login profile is updated to require MFA. This can be done by setting up an IAM policy that enforces MFA.
aws iam put-user-policy --user-name <UserName> --policy-name MFARequired --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }' -
Verify MFA Device Association: Finally, verify that the MFA device is correctly associated with the user.
aws iam list-mfa-devices --user-name <UserName>This command will list all MFA devices associated with the specified user, allowing you to confirm that the MFA device is properly set up.
By following these steps, you can ensure that MFA is enabled on user accounts in AWS IAM using the AWS CLI.
To prevent the misconfiguration of not having Multi-Factor Authentication (MFA) enabled on user accounts in IAM using Python scripts, you can follow these steps for AWS, Azure, and GCP:
AWS
-
Install Boto3 Library: Ensure you have the Boto3 library installed, which is the AWS SDK for Python.
pip install boto3 -
Create a Python Script to Enable MFA: Use the following script to enforce MFA on IAM user accounts. This script lists all users and attaches an MFA device to each user if not already attached.
import boto3 # Initialize a session using Amazon IAM iam_client = boto3.client('iam') # List all IAM users users = iam_client.list_users() for user in users['Users']: user_name = user['UserName'] mfa_devices = iam_client.list_mfa_devices(UserName=user_name) if not mfa_devices['MFADevices']: # Create a virtual MFA device mfa_device = iam_client.create_virtual_mfa_device(VirtualMFADeviceName=f'{user_name}_mfa') # Enable MFA for the user iam_client.enable_mfa_device( UserName=user_name, SerialNumber=mfa_device['VirtualMFADevice']['SerialNumber'], AuthenticationCode1='123456', # Replace with actual MFA code AuthenticationCode2='789012' # Replace with actual MFA code ) print(f'MFA enabled for user: {user_name}') else: print(f'MFA already enabled for user: {user_name}')
Azure
-
Install Azure SDK for Python: Ensure you have the Azure Identity and Management libraries installed.
pip install azure-identity azure-mgmt-authorization -
Create a Python Script to Enforce MFA: Use the following script to enforce MFA on Azure user accounts. This script assumes you have the necessary permissions to manage user settings.
from azure.identity import DefaultAzureCredential from azure.mgmt.authorization import AuthorizationManagementClient # Initialize credentials and client credential = DefaultAzureCredential() client = AuthorizationManagementClient(credential, '<subscription_id>') # List all users and enforce MFA users = client.users.list() for user in users: # Check if MFA is enabled (this is a simplified example) if not user.additional_properties.get('mfaEnabled'): # Enforce MFA (this is a placeholder, actual implementation may vary) user.additional_properties['mfaEnabled'] = True client.users.create_or_update(user.object_id, user) print(f'MFA enforced for user: {user.display_name}') else: print(f'MFA already enabled for user: {user.display_name}')
GCP
-
Install Google Cloud SDK: Ensure you have the Google Cloud SDK installed.
pip install google-auth google-api-python-client -
Create a Python Script to Enforce MFA: Use the following script to enforce MFA on GCP user accounts. This script assumes you have the necessary permissions to manage user settings.
from google.oauth2 import service_account from googleapiclient.discovery import build # Initialize credentials and service credentials = service_account.Credentials.from_service_account_file('path/to/your/service-account-file.json') service = build('admin', 'directory_v1', credentials=credentials) # List all users and enforce MFA results = service.users().list(customer='my_customer', maxResults=200).execute() users = results.get('users', []) for user in users: # Check if MFA is enabled (this is a simplified example) if not user.get('isEnrolledIn2Sv'): # Enforce MFA (this is a placeholder, actual implementation may vary) user['isEnrolledIn2Sv'] = True service.users().update(userKey=user['id'], body=user).execute() print(f'MFA enforced for user: {user["primaryEmail"]}') else: print(f'MFA already enabled for user: {user["primaryEmail"]}')
These scripts provide a basic framework to enforce MFA on user accounts in AWS, Azure, and GCP. You may need to adjust the scripts based on your specific requirements and environment.