MEDIUM
Source
Trivy/CSPM
CSPM ID
users-mfa-enabled
ID
AVD-AWS-0123

IAM groups should have MFA enforcement activated.

IAM groups should be protected with multi factor authentication to add safe guards to password compromise.

Impact

IAM groups are more vulnerable to compromise without multi factor authentication activated

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for IAM. Step
  3. Scroll down the left navigation panel and choose “Users”. Step
  4. Select the “User” that needs to be verified and click on the “User name” to access the selected “IAM User”.Step
  5. Click on the “Security Credentials” under the configuration page.Step
  6. Scroll down the “Security Credentials” tab and check the “Assigned MFA device”.Check the “Multi-factor authentication (MFA)” section for any active devices. If “Not assigned " is showing against “Assigned MFA device” than a multi-factor authentication device is not enabled for the selected user account.Step
  7. Repeat steps number 2 - 6 to check another IAM user.
  8. On “Your Security Credentials” page scroll down and click on the “Multi-factor authentication (MFA)” and click on the “Manage” link to enable a multi-factor authentication device.Step
  9. Click on the “Virtual MFA device” and click on “Continue”. Step
  10. Now install the AWS MFA compatible application on mobile device or computer. Once the application is installed click on the “Show QR code” and scan the code with pre-installed application.Step
  11. Enter two consecutive MFA codes generated from application in “MFA code 1” and “MFA code 2” and click on the “Assign MFA” button.Step
  12. On successful setup will get the following message “You have successfully assigned virtual MFA”. Step
  13. Repeat steps number 8 - 12 to enable multi-factor authentication device for all other IAM users.

Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
data aws_caller_identity current {}

resource aws_iam_group support {
  name =  "support"
}

module enforce_mfa {
  source  = "terraform-module/enforce-mfa/aws"
  version = "0.12.0"
  
  policy_name                     = "managed-mfa-enforce"
  account_id                      = data.aws_caller_identity.current.id
  groups                          = [aws_iam_group.support.name]
  manage_own_signing_certificates  = true
  manage_own_ssh_public_keys      = true
  manage_own_git_credentials      = true
}