IAM users MFA

AWS-IAM-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if all IAM users with console access have MFA enabled.

Why it matters

IAM users with console access but no MFA can be compromised through password theft, phishing, or credential stuffing attacks. According to Verizon DBIR 2024, stolen credentials are the initial attack vector in 44% of breaches. Once inside, attackers can pivot through the environment using whatever permissions that IAM user has. The 2023 CircleCI breach started with a single employee credential compromised by malware - MFA would have prevented the attacker from using the stolen password. Enforcing MFA for all console users is required by CIS AWS Foundations Benchmark and most compliance frameworks including SOC 2 and ISO 27001.

Common causes

MFA enforcement gaps appear when new IAM users are created through automation or CLI scripts that skip the MFA setup step. Onboarding processes often create the user and share credentials but leave MFA as a manual follow-up that employees delay or forget. Contractor and service accounts with console access are especially prone to missing MFA because ownership is unclear.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam create-virtual-mfa-device --virtual-mfa-device-name USER-mfa --outfile /tmp/USER-qr.png --bootstrap-method QRCodePNG
aws iam enable-mfa-device --user-name USER --serial-number arn:aws:iam::ACCOUNT_ID:mfa/USER-mfa --authentication-code1 CODE1 --authentication-code2 CODE2

Remediation: Terraform

resource "aws_iam_virtual_mfa_device" "user_mfa" {
  virtual_mfa_device_name = "user-mfa"
}

Compliance mapping

This check maps to CIS 1.4 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.