IAM User Without MFA

AWS IAM Users should have MFA enabled and active.

Details ¶

AWS IAM (Identity and Access Management) users are designed for use by individuals, allowing natural persons to access the AWS console with a username and password as well as through Access Keys for AWS SDKs and the CLI. A crucial security measure is ensuring that IAM Users have multi-factor authentication (MFA) devices enabled and active. This adds an important layer of security, helping to confirm that any request for IAM Role assumption or console access comes from a legitimate user rather than from a brute force attack or stolen username-password combination.

Depending on the sensitivity of your AWS account, especially in production or sensitive environments, it is critical to require that IAM Users access AWS resources using MFA. This ensures that, in addition to a username and password, an extra layer of authentication is needed to access the account protecting the data and costs associated with your cloud account.

Remediation ¶

Begin by auditing your IAM Users to determine which accounts have multi-factor authentication enabled and which do not. Additionally, review your organisation’s overall security stance regarding MFA. In the past, MFA typically involved hardware tokens, which needed to be distributed and managed for each user. However, with the advent of virtual MFA devices, you should consider whether these newer solutions are acceptable for your organisation. Pay attention to how these devices are managed, deployed, documented and processed for your IAM Users.

Establishing a robust organizational approach towards MFA is essential in strengthening your overall security posture and recommended to any organisation with sensitive or costly data in their cloud account. SkySiege’s Cloud Assessments automatically detect IAM Users across your entire organisation without attached and active MFA devices with the report delivered the same day: