IAM groups should be protected with multi factor authentication to add safe guards to password compromise.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Log in to the AWS Management Console.
Select the “Services” option and search for IAM.
Scroll down the left navigation panel and choose “Users”.
Select the “User” that needs to be verified and click on the “User name” to access the selected “IAM User”.
Click on the “Security Credentials” under the configuration page.
Scroll down the “Security Credentials” tab and check the “Assigned MFA device”. Check the “Multi-factor authentication (MFA)” section for any active devices. If “Not assigned” is showing against “Assigned MFA device” then a multi-factor authentication device is not enabled for the selected user account.
Repeat step number 2 - 6 to check other IAM users.
On “Security Credentials” page scroll down and click on the “Multi-factor authentication (MFA)” and click on the “Manage” link to enable a multi-factor authentication device.
Click on the “Virtual MFA device” and click on “Continue”.
Now install the AWS MFA compatible application on mobile device or computer. Once the application is installed click on the “Show QR code” and scan the code with pre-installed application.
Enter two consecutive MFA codes generated from application in “MFA code 1” and “MFA code 2” and click on the “Assign MFA” button.
On successful setup will get the following message “You have successfully assigned virtual MFA”.
Repeat steps number 8 - 12 to enable multi-factor authentication device for all other IAM users.
Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced