IAM User MFA Enabled for Console Access
Overview
This check verifies that IAM users who can sign into the AWS Management Console have multi-factor authentication (MFA) enabled. MFA adds a second layer of protection beyond just a password, requiring users to provide a code from a physical or virtual device.
Risk
Without MFA, if an attacker obtains a user's password (through phishing, credential stuffing, or data breaches), they gain full interactive access to your AWS account. This could allow them to:
- View and steal sensitive data
- Create new user accounts with elevated privileges
- Modify security settings and disable logging
- Launch resources (potentially running up costs)
- Delete critical infrastructure
Severity: High - Password-only authentication is a significant security gap.
Remediation Steps
Prerequisites
- Access to the AWS Console with IAM administrative permissions
- The name of the affected IAM user(s)
You have two options to fix this:
- Enable MFA for users who need console access (recommended for human users)
- Remove console access for users who do not need it (e.g., service accounts)
Option 1: Enable MFA (Recommended)
This is the preferred approach for users who need to log into the AWS Console.
- Sign in to the AWS Console
- Go to IAM (search for "IAM" in the search bar)
- Click Users in the left sidebar
- Click on the affected user's name
- Select the Security credentials tab
- Scroll to the Multi-factor authentication (MFA) section
- Click Assign MFA device
- Choose a device type:
- Authenticator app - Use apps like Google Authenticator, Authy, or Microsoft Authenticator
- Security key - Use a hardware FIDO2 key (most secure option)
- Hardware TOTP token - Use a physical token device
- Follow the on-screen instructions to complete setup
- Verify MFA is listed as "Assigned" in the user's Security credentials
AWS CLI (optional)
MFA setup via CLI requires multiple steps because you need to generate and scan a QR code.
Step 1: Create a virtual MFA device
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name <IAM_USER_NAME>-mfa \
--outfile /tmp/qrcode.png \
--bootstrap-method QRCodePNG \
--region us-east-1
This creates a QR code image at /tmp/qrcode.png. Have the user scan this with their authenticator app.
Step 2: Enable the MFA device
After the user scans the QR code, get two consecutive codes from their authenticator app:
aws iam enable-mfa-device \
--user-name <IAM_USER_NAME> \
--serial-number arn:aws:iam::<ACCOUNT_ID>:mfa/<IAM_USER_NAME>-mfa \
--authentication-code1 <FIRST_CODE> \
--authentication-code2 <SECOND_CODE> \
--region us-east-1
Replace:
<IAM_USER_NAME>with the actual username<ACCOUNT_ID>with your 12-digit AWS account ID<FIRST_CODE>and<SECOND_CODE>with two consecutive codes from the authenticator app
CloudFormation (optional)
CloudFormation cannot directly create or assign MFA devices. MFA must be configured manually or through the CLI after the user is created.
However, you can enforce MFA usage through IAM policies. Here is a policy that denies most actions unless MFA is present:
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM policy requiring MFA for sensitive operations
Resources:
RequireMFAPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: RequireMFAForSensitiveActions
Description: Denies access to most actions unless MFA is authenticated
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowViewAccountInfo
Effect: Allow
Action:
- iam:GetAccountPasswordPolicy
- iam:ListVirtualMFADevices
Resource: '*'
- Sid: AllowManageOwnMFA
Effect: Allow
Action:
- iam:CreateVirtualMFADevice
- iam:DeleteVirtualMFADevice
- iam:EnableMFADevice
- iam:ListMFADevices
- iam:ResyncMFADevice
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}'
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${!aws:username}'
- Sid: DenyAllExceptListedIfNoMFA
Effect: Deny
NotAction:
- iam:CreateVirtualMFADevice
- iam:EnableMFADevice
- iam:GetUser
- iam:ListMFADevices
- iam:ListVirtualMFADevices
- iam:ResyncMFADevice
- sts:GetSessionToken
Resource: '*'
Condition:
BoolIfExists:
'aws:MultiFactorAuthPresent': 'false'
Attach this policy to users or groups to enforce MFA usage.
Terraform (optional)
Terraform cannot directly create or assign MFA devices to users. MFA must be configured manually or through the CLI.
However, you can enforce MFA usage through IAM policies:
resource "aws_iam_policy" "require_mfa" {
name = "RequireMFAForSensitiveActions"
description = "Denies access to most actions unless MFA is authenticated"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowViewAccountInfo"
Effect = "Allow"
Action = [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
]
Resource = "*"
},
{
Sid = "AllowManageOwnMFA"
Effect = "Allow"
Action = [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
]
Resource = [
"arn:aws:iam::*:mfa/$${aws:username}",
"arn:aws:iam::*:user/$${aws:username}"
]
},
{
Sid = "DenyAllExceptListedIfNoMFA"
Effect = "Deny"
NotAction = [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
]
Resource = "*"
Condition = {
BoolIfExists = {
"aws:MultiFactorAuthPresent" = "false"
}
}
}
]
})
}
# Attach to a user or group
resource "aws_iam_user_policy_attachment" "require_mfa_attachment" {
user = "<IAM_USER_NAME>"
policy_arn = aws_iam_policy.require_mfa.arn
}
Option 2: Remove Console Access
If the user does not need to log into the AWS Console (e.g., a service account that only uses API keys), remove their console password entirely.
- Sign in to the AWS Console
- Go to IAM
- Click Users in the left sidebar
- Click on the affected user's name
- Select the Security credentials tab
- In the Console sign-in section, click Manage
- Select Disable console access
- Click Apply
- Verify that "Console password" shows Not enabled
AWS CLI (optional)
aws iam delete-login-profile \
--user-name <IAM_USER_NAME> \
--region us-east-1
Replace <IAM_USER_NAME> with the actual username.
Note: This only removes console access. The user can still use access keys for API/CLI access if they have any.
CloudFormation (optional)
To ensure a user has no console access, simply omit the LoginProfile property:
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM user without console access
Resources:
ServiceAccountUser:
Type: AWS::IAM::User
Properties:
UserName: my-service-account
# No LoginProfile property = no console access
Terraform (optional)
To ensure a user has no console access, do not create an aws_iam_user_login_profile resource:
# User without console access
resource "aws_iam_user" "service_account" {
name = "my-service-account"
}
# Do NOT include aws_iam_user_login_profile for this user
Verification
After remediation, verify the fix:
- Go to IAM > Users in the AWS Console
- Click on the user's name
- Select the Security credentials tab
- Check one of the following:
- MFA device shows as "Assigned" (if you enabled MFA), OR
- Console password shows "Not enabled" (if you removed console access)
CLI Verification
Check if MFA is enabled:
aws iam list-mfa-devices \
--user-name <IAM_USER_NAME> \
--region us-east-1
If MFA is enabled, you will see the MFA device listed. An empty MFADevices array means no MFA is configured.
Check if console access is disabled:
aws iam get-login-profile \
--user-name <IAM_USER_NAME> \
--region us-east-1
If console access is disabled, this command returns an error: NoSuchEntity - Login Profile for User <name> cannot be found.
Additional Resources
- AWS: Enable MFA for IAM Users
- AWS: Using Multi-Factor Authentication in AWS
- AWS: IAM Security Best Practices
- AWS: Available MFA Types
Notes
- MFA for root account: This check is for IAM users. The AWS root account should also have MFA enabled (a separate Prowler check covers this).
- Hardware vs. virtual MFA: Hardware security keys (FIDO2) are more secure than virtual MFA apps because they are phishing-resistant. Consider using them for privileged users.
- SSO alternative: For organizations, consider using AWS IAM Identity Center (SSO) with your corporate identity provider instead of individual IAM users. This centralizes authentication and MFA management.
- Service accounts: Programmatic-only users (service accounts) should not have console passwords. Use access keys or IAM roles instead.
- MFA enforcement: Even after enabling MFA, consider adding an IAM policy that denies actions unless MFA is present (see CloudFormation/Terraform examples above).