How to Find AWS IAM Users Without MFA Enabled

Multi-factor authentication (MFA) adds an extra layer of protection on top of a username and password.

When MFA is enabled, a user is prompted for an authentication code from their configured MFA device in addition to their username and password.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity high.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

1. Execute the following search command in Fix Inventory Shell:

   > search is(aws_iam_user) and password_enabled==true and mfa_active==false
   ​kind=aws_iam_user, ..., region=fixinventory-poweruser
   ​kind=aws_iam_user, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_iam_user) and password_enabled==true and mfa_active==false | dump
   ​reported:
   ​  id: /aws/iam/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_iam_user
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_iam_user resources.

Remediation

• Enable MFA for users account.
• MFA is a simple best practice that adds an extra layer of protection on top of your user name and password.
• Recommended to use hardware keys over virtual MFA.

note

Please refer to the AWS IAM documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_iam_user Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks
• AWS Documentation