AWS-005 Amazon Web Services (AWS)

MFA is enabled for all IAM users with console access.

MFA is enabled for all IAM users with console access.

Domain
Amazon Web Services (AWS)
Area
IAM
Automated / manual
Automated

Risk if it fails

Stolen passwords alone should not grant access.

A user without MFA is one phished password away from compromise. The attacker logs in as that employee and inherits all their permissions.

How Tess tests it

1 test — each concludes only on cited evidence.

MFA is enabled for all IAM users with console access.

Automated
Procedure
Cross-reference credential report 'password_enabled' vs 'mfa_active'; flag any console user without MFA.

Read-only command 

aws iam generate-credential-report >/dev/null; aws iam get-credential-report --query 'Content' --output text | base64 -d

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-005 against your evidence?

Book a demo