IAM Group Members with AdministratorAccess Have MFA Enabled
Overview
This check verifies that all IAM users who belong to groups with the AdministratorAccess managed policy have multi-factor authentication (MFA) enabled. Administrator accounts have full control over your AWS environment, making them high-value targets for attackers.
Risk
Without MFA on administrator accounts:
- Single-factor compromise - Stolen or guessed passwords can give attackers full AWS access
- Privilege escalation - Attackers can modify IAM policies, create new admin users, or disable security controls
- Data exfiltration - Full read access to all services including S3, databases, and secrets
- Destructive operations - Ability to delete resources, terminate instances, or wipe entire accounts
- Lateral movement - Access to create credentials for other services and accounts
MFA adds a critical second layer of defense that prevents account takeover even if passwords are compromised.
Remediation Steps
Prerequisites
- Access to the AWS Console with IAM permissions
- An authenticator app (like Google Authenticator, Authy, or Microsoft Authenticator) or a hardware security key
- Ability to coordinate with the affected admin users if enabling MFA on their behalf
AWS Console Method
Step 1: Identify admin users without MFA
- Sign in to the AWS Management Console
- Navigate to IAM > User groups
- Find groups with the
AdministratorAccesspolicy attached (check the Attached policies column) - Click on the group name to see its members
- Note which users need MFA enabled
Step 2: Enable MFA for each user
For each admin user without MFA:
- Go to IAM > Users
- Click on the username
- Select the Security credentials tab
- In the Multi-factor authentication (MFA) section, click Assign MFA device
- Enter a Device name (e.g.,
admin-phone-mfa) - Choose your MFA device type:
- Authenticator app - Use a phone app to generate codes
- Security key - Use a FIDO2-compatible hardware key (most secure)
- Hardware TOTP token - Use a dedicated hardware token
- Follow the on-screen instructions to complete setup
- Click Add MFA
Step 3: Verify MFA is active
- Return to IAM > Users > [username] > Security credentials
- Confirm the MFA device shows as Assigned
AWS CLI (optional)
List admin groups and their members:
# Find groups with AdministratorAccess policy
aws iam list-entities-for-policy \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
--entity-filter Group \
--region us-east-1
# List users in a specific group
aws iam get-group \
--group-name <admin-group-name> \
--region us-east-1
Check if a user has MFA enabled:
aws iam list-mfa-devices \
--user-name <username> \
--region us-east-1
If the MFADevices array is empty, the user has no MFA configured.
Create and enable a virtual MFA device:
# Step 1: Create the virtual MFA device
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name <username>-mfa \
--outfile /tmp/qrcode.png \
--bootstrap-method QRCodePNG \
--region us-east-1
# Step 2: Have the user scan the QR code with their authenticator app
# Step 3: Enable the MFA device with two consecutive codes
aws iam enable-mfa-device \
--user-name <username> \
--serial-number arn:aws:iam::<account-id>:mfa/<username>-mfa \
--authentication-code1 <first-code> \
--authentication-code2 <second-code> \
--region us-east-1
Alternative: Remove AdministratorAccess from the group (if MFA cannot be enabled):
aws iam detach-group-policy \
--group-name <admin-group-name> \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
--region us-east-1
CloudFormation (optional)
CloudFormation cannot directly create or assign MFA devices to users - this must be done interactively since it requires scanning a QR code and entering time-based codes.
However, you can enforce MFA at the policy level. This IAM policy denies all actions unless MFA is present:
AWSTemplateFormatVersion: '2010-09-09'
Description: Enforce MFA for administrator actions
Resources:
EnforceMFAPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: EnforceMFAForAdmins
Description: Denies actions unless MFA is authenticated
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: DenyAllExceptListedIfNoMFA
Effect: Deny
NotAction:
- iam:CreateVirtualMFADevice
- iam:EnableMFADevice
- iam:GetUser
- iam:ListMFADevices
- iam:ListVirtualMFADevices
- iam:ResyncMFADevice
- sts:GetSessionToken
Resource: '*'
Condition:
BoolIfExists:
'aws:MultiFactorAuthPresent': 'false'
AdminGroupWithMFAEnforcement:
Type: AWS::IAM::Group
Properties:
GroupName: AdminsWithMFAEnforcement
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
- !Ref EnforceMFAPolicy
Deploy the template:
aws cloudformation deploy \
--template-file enforce-mfa.yaml \
--stack-name enforce-mfa-admins \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
Terraform (optional)
Like CloudFormation, Terraform cannot create interactive MFA devices. However, you can enforce MFA via policy:
# Policy that denies actions unless MFA is present
resource "aws_iam_policy" "enforce_mfa" {
name = "EnforceMFAForAdmins"
description = "Denies actions unless MFA is authenticated"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "DenyAllExceptListedIfNoMFA"
Effect = "Deny"
NotAction = [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
]
Resource = "*"
Condition = {
BoolIfExists = {
"aws:MultiFactorAuthPresent" = "false"
}
}
}
]
})
}
# Admin group with MFA enforcement
resource "aws_iam_group" "admins_with_mfa" {
name = "AdminsWithMFAEnforcement"
}
resource "aws_iam_group_policy_attachment" "admin_access" {
group = aws_iam_group.admins_with_mfa.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_group_policy_attachment" "enforce_mfa" {
group = aws_iam_group.admins_with_mfa.name
policy_arn = aws_iam_policy.enforce_mfa.arn
}
Verification
After enabling MFA for all admin users:
- Go to IAM > Users in the AWS Console
- Check each admin user's Security credentials tab
- Confirm the Multi-factor authentication (MFA) section shows an assigned device
You can also generate a credential report:
- Go to IAM > Credential report (in the left menu)
- Click Download credential report
- Open the CSV and check the
mfa_activecolumn for admin users
CLI verification commands
Check MFA status for a specific user:
aws iam list-mfa-devices \
--user-name <username> \
--region us-east-1
Expected output for a user with MFA enabled:
{
"MFADevices": [
{
"UserName": "admin-user",
"SerialNumber": "arn:aws:iam::123456789012:mfa/admin-user",
"EnableDate": "2024-01-15T10:30:00Z"
}
]
}
Generate and download credential report:
# Generate the report
aws iam generate-credential-report --region us-east-1
# Download and decode the report
aws iam get-credential-report --region us-east-1 \
--query 'Content' --output text | base64 --decode > credential-report.csv
# Check MFA status (column 8 is mfa_active)
cat credential-report.csv | cut -d',' -f1,8
Additional Resources
- Enabling MFA devices for IAM users
- Configuring MFA-protected API access
- Using MFA with AWS CLI
- AWS Security Best Practices - Use MFA
Notes
- Hardware keys are most secure: FIDO2 security keys (like YubiKey) are phishing-resistant and preferred for admin accounts
- Backup MFA device: Consider assigning a second MFA device as backup for critical admin accounts
- MFA for root account: The AWS root account should also have MFA enabled - this is checked separately by Prowler
- Consider AWS IAM Identity Center: For organizations, SSO with MFA through IAM Identity Center provides centralized access management
- Break-glass procedures: Ensure you have documented procedures for account recovery if MFA devices are lost
- MFA condition in policies: Adding
aws:MultiFactorAuthPresentconditions to sensitive operations adds defense-in-depth even if this check passes