How to Find AWS IAM Users Without MFA Enabled
Multi-factor authentication (MFA) adds an extra layer of protection on top of a username and password.
When MFA is enabled, a user is prompted for an authentication code from their configured MFA device in addition to their username and password.
info
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity high.
Prerequisites
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_iam_user) and password_enabled==true and mfa_active==false
kind=aws_iam_user, ..., region=fixinventory-poweruser
kind=aws_iam_user, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_iam_user) and password_enabled==true and mfa_active==false | dump
reported:
id: /aws/iam/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_iam_user
age: 2mo28dThe command output will list the details of all non-compliant
aws_iam_user
resources.
Remediation
- Enable MFA for users account.
- MFA is a simple best practice that adds an extra layer of protection on top of your user name and password.
- Recommended to use hardware keys over virtual MFA.
note
Please refer to the AWS IAM documentation for details.