IAM User Has Access Key Without MFA Enforced

Overview

IAM Users that access the AWS API using long-term credentials should have a policy applied that enforces MFA for most actions

Vendor

AWS

Cloud Service

IAM

Input

{"allowedServices":{"label":"Allowed Services","helpText":"Services allowed without MFA","type":"string[]","value":["iam:CreateVirtualMFADevice","iam:EnableMFADevice","iam:GetUser","iam:GetMFADevice","iam:ListMFADevices","iam:ListVirtualMFADevices","iam:ResyncMFADevice","sts:GetSessionToken"]}}

CSMM v1 IAM-03.2, IAM.19

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-user-mfa, https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html

Severity

Item Types

AWS::IAM::User

Overview​

Vendor​

Cloud Service​

Input​

Related Controls​

References​

Severity​

Item Types​