AWS IAM

Users MFA Disabled

Risk Level: Medium

Description: 

This plugin guarantees that all users in the account have access to a multi-factor authentication device. To enable two-factor authentication, MFA devices should be set up on user accounts.

PingSafe strongly recommends enabling an MFA device for the user account.

Configuration Parameters

Check for MFA for programmatic users: The parameter holds the boolean value for checking the multi-factor authentication (MFA) for all users in the account. When the value is set to be TRUE, it simply ignores checking for programmatic users without MFA. By default, the value is set to be FALSE.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

Not having an MFA-protected root account makes AWS resources and services vulnerable to attacks. An MFA device signature adds an extra layer of protection on top of existing root credentials making AWS root account virtually impossible to penetrate without the MFA-generated passcode.

Steps to reproduce :

  1. Sign-in to AWS management console.
    https://ap-south-1.console.aws.amazon.com/console/ 
  2. Navigate to IAM Management Console.
    https://console.aws.amazon.com/iamv2/ 
  3. Click on Users in the left navigation bar under Access Management.
  4. Select the user that you want to examine. Then navigate to the Security Credentials tab and then examine.
  5. We can clearly see that the password is enabled for the user but the Assigned MFA device shows that no MFA device has been assigned to the user. This suggests that the user’s MFA has been disabled. Hence, it is not following best security practices.
  6. Repeat the steps for other users too.

Steps for remediation :

  1. Sign-in to AWS management console.
  2. https://ap-south-1.console.aws.amazon.com/console/ 
  3. Navigate to IAM Management Console.
    https://console.aws.amazon.com/iamv2/ 
  4. Click on Users in the left navigation bar under Access Management.
  5. Select the user that you want to examine. Then navigate to the Security Credentials tab and then examine.
  6. We can clearly see that the password is enabled for the user but the Assigned MFA device shows that no MFA device has been assigned to the user. This suggests that the user’s MFA has been disabled. Hence, it is not following best security practices.
  7. Click on “Manage” to set up an MFA device for the root account.
  8. Select “Virtual MFA device” and click “Next Step” in the Manage MFA Device dialog box.
  9. Now install the AWS MFA-compatible application and click Next Step.
    https://support.google.com/accounts/answer/1066447?hl=en 
  10. Scan the QR code and enter two consecutive authentication passcodes in the Authentication Code 1 and Authentication Code 2 boxes, then click Activate Virtual MFA in the Set up virtual MFA device dialogue box.
  11. Click on Assign MFA and then complete the setup procedures.
  12. Repeat the steps for other users with MFA disabled too.

References: