Updated on 2024-12-10 GMT+08:00

MFA Has Been Enabled for Console Login

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

mfa-enabled-for-iam-console-access

Identifier

mfa-enabled-for-iam-console-access

Description

If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant.

Tag

iam

Trigger Type

Configuration change

Filter Type

iam.users

Configure Rule Parameters

None

Applicable Scenario

Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account. It is recommended that you enable MFA authentication for your account and privileged users created using your account. After MFA authentication is enabled, you need to enter verification codes after your username and password are authenticated. MFA devices, together with your username and password, ensure the security of your account and resources.

Solution

Before binding a virtual MFA device, ensure that you have installed an MFA application (such as Google Authenticator or Microsoft Authenticator) on your mobile device. For details, see Binding a Virtual MFA Device.

Rule Logic

  • If an IAM user is in the disabled state, this user is compliant.
  • If an IAM user is not allowed to access the management console, this user is compliant.
  • If an enabled IAM user who is allowed to access the management console has MFA enabled, this user is compliant.
  • If an enabled IAM user who is allowed to access the management console has MFA disabled, this user is noncompliant.