User MFA not Enforced and Missing MFA Device

Overview

NOTE: this check only validates MFA for AWS IAM users and it does not evaluate federated users since MFA for those users is managed at the Identity Provider, not within AWS. This check only looks for IAM users with a password set and does not evaluate IAM user accounts that have only Access Keys since those are often service accounts.

Multifactor Authentication is possibly the single most important management plane security control available when working in the cloud. It is the only way to prevent attackers from accessing the cloud when they are able to steal credentials. Credential theft and abuse is the most common source of successful attacks on cloud deployments.

AWS supports MFA enforcement in two ways:

Requiring MFA for a user to log into the console. This is a checkbox in the console or can be set via API. This does not protect access for users with API access (Access/Secret key), only console access.
Requiring MFA for API activity using a policy attached to the IAM user or group. When MFA is required using this technique it protects both API and console access.

MFA is a CIS Benchmark requirement and a requirement for most other compliance standards.

This Check identifies IAM users that do not have an MFA device attached.

Defends the cloud deployment from credential theft or accidental exposure and related unapproved access and attacks.
Ensures continuous compliance across both the console and API access.

Vendor

AWS

Cloud Service

IAM

PCI DSS 8.3.1

CIS AWS v1.5.0 1.10, CSMM v1 IAM-02.2, IAM.5, IAM.19

Severity

Item Types

AWS::IAM::User

Overview​

Vendor​

Cloud Service​

Related Requirements​

Related Controls​

Severity​

Item Types​

Overview

Vendor

Cloud Service

Related Requirements

Related Controls

Severity

Item Types