AWS IAM
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. AWS IAM

      Root MFA Disabled

      This plugin guarantees that a root account may be activated by a multi-factor authentication device

      Risk Level: High

      Description: 

      This plugin guarantees that a root account may be activated by a multi-factor authentication device. The MFA device configured for the root account should allow authentication of two factories.

      PingSafe strongly recommends enabling an MFA device for the root account and then use an IAM user for managing services.

      Note:

      AWS updates the Credential Report every 4 hours, it'll get updated soon please check back later. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

      About the Service :

      AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

      We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

      Impact : 

      Not having an MFA-protected root account makes AWS resources and services vulnerable to attacks. An MFA device signature adds an extra layer of protection on top of existing root credentials making AWS root account virtually impossible to penetrate without the MFA-generated passcode.

      Steps to reproduce :

      1. Sign-in to AWS management console.
      2. Click on the “Account Name” and select “My Security Credentials”.
      3. Check the “MFA management” section. If there is no MFA device listed that means that the root account is not MFA protected.
      4. Repeat the steps for other root accounts too.

      Steps for remediation :

      1. Sign-in to AWS management console.
      2. Click on the “Account Name” and select “My Security Credentials”.
                    
      3. Check the “MFA management” section. If there is no MFA device listed that means that the root account is not MFA protected.
      4. Click on “Assign MFA device” to set up an MFA device for the root account.
      5. Select “Virtual MFA device” and click “Next Step” in the Manage MFA Device dialog box
      6. Now install the AWS MFA-compatible application and click Next Step.
        https://support.google.com/accounts/answer/1066447?hl=en 
      7. Scan the QR code and enter two consecutive authentication passcodes in the Authentication Code 1 and Authentication Code 2 boxes, then click Activate Virtual MFA in the Set up virtual MFA device dialogue box.
      8. Click on Assign MFA and then complete the setup procedures.
      9. Repeat the steps for adding more such MFA devices to root accounts.

       

      References: