AWS IAM: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

In this topic:

    Name
    Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
    Description
    Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.
    Severity
    High
    Remediation
    This control is implemented as a Config rule backed by a custom lambda function. The config rule reports back the compliance status of IAM users against this control. The Config rule DOES NOT enforce this control by enabling MFA for any of the IAM users. For extra security, we recommend that customers enable multi-factor authentication (MFA) for IAM users based on the compliance reported by the config rule. Refer to IAM Best Practices at the following link: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html If the Config rule reports NonCompliance, ensure that IAM Users with a password have MFA enabled. For remediation, refer to control 1.2 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf