Root Account Should Have MFA

More Info:

Multifactor Authentication is strongly recommended to be enabled for every account with no exceptions in order to secure your AWS environment and adhere to IAM security best practices.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP, NIST, SOC2, PCIDSS, HITRUST, AWSWAF, NISTCSF

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent the misconfiguration where the root account does not have Multi-Factor Authentication (MFA) enabled in AWS IAM using the AWS CLI, follow these steps:

Create a Virtual MFA Device: First, create a virtual MFA device for the root account. This will generate a QR code that you can scan with an MFA application (like Google Authenticator).
```
aws iam create-virtual-mfa-device --virtual-mfa-device-name root-account-mfa --outfile /path/to/qr-code.png
```
Enable MFA for the Root Account: After scanning the QR code with your MFA application, you will receive two consecutive MFA codes. Use these codes to enable MFA for the root account.
```
aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::account-id:mfa/root-account-mfa --authentication-code1 <MFA_CODE_1> --authentication-code2 <MFA_CODE_2>
```
Verify MFA Device: To ensure that the MFA device is correctly associated with the root account, you can list the MFA devices for the root account.
```
aws iam list-mfa-devices --user-name root
```

Enforce MFA Usage: Optionally, you can create an IAM policy that enforces the use of MFA for sensitive operations. Attach this policy to the root account or other IAM users as needed.

aws iam create-policy --policy-name EnforceMFA --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}'

By following these steps, you can ensure that the root account in AWS IAM has MFA enabled, thereby enhancing the security of your AWS environment.

Using Python

To prevent the misconfiguration of not having Multi-Factor Authentication (MFA) enabled for the root account in AWS IAM using Python scripts, you can follow these steps:

Install AWS SDK for Python (Boto3): Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven’t already.
```
pip install boto3
```

Create a Python Script to Check MFA Status: Write a Python script that uses Boto3 to check if MFA is enabled for the root account. This script will help you identify if the root account does not have MFA enabled.

import boto3

def check_root_mfa():
    client = boto3.client('iam')
    response = client.get_account_summary()
    mfa_devices = client.list_mfa_devices(UserName='root')
    
    if response['SummaryMap']['AccountMFAEnabled'] == 1 and len(mfa_devices['MFADevices']) > 0:
        print("MFA is enabled for the root account.")
    else:
        print("MFA is NOT enabled for the root account. Please enable it.")

if __name__ == "__main__":
    check_root_mfa()

Automate the Script Execution: Schedule the script to run at regular intervals using a task scheduler like cron (Linux) or Task Scheduler (Windows) to ensure continuous monitoring. For example, to run the script every day at midnight using cron, you can add the following line to your crontab:
```
0 0 * * * /usr/bin/python3 /path/to/your_script.py
```

Notify Administrators: Enhance the script to send notifications (e.g., via email or Slack) if MFA is not enabled. This ensures that administrators are alerted immediately and can take action.

import boto3
import smtplib
from email.mime.text import MIMEText

def send_notification(message):
    # Set up the server and login details
    smtp_server = 'smtp.example.com'
    smtp_port = 587
    smtp_user = '[email protected]'
    smtp_password = 'your_password'
    
    # Create the email content
    msg = MIMEText(message)
    msg['Subject'] = 'AWS Root Account MFA Status Alert'
    msg['From'] = smtp_user
    msg['To'] = '[email protected]'
    
    # Send the email
    with smtplib.SMTP(smtp_server, smtp_port) as server:
        server.starttls()
        server.login(smtp_user, smtp_password)
        server.sendmail(smtp_user, '[email protected]', msg.as_string())

def check_root_mfa():
    client = boto3.client('iam')
    response = client.get_account_summary()
    mfa_devices = client.list_mfa_devices(UserName='root')
    
    if response['SummaryMap']['AccountMFAEnabled'] == 1 and len(mfa_devices['MFADevices']) > 0:
        print("MFA is enabled for the root account.")
    else:
        message = "MFA is NOT enabled for the root account. Please enable it."
        print(message)
        send_notification(message)

if __name__ == "__main__":
    check_root_mfa()

By following these steps, you can proactively prevent the misconfiguration of not having MFA enabled for the root account in AWS IAM using Python scripts.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Root Account Should Have MFA

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: