This guide demonstrates how to verify that all AWS IAM users have Multi-Factor Authentication (MFA) enabled. Ensuring MFA is crucial in securing your AWS resources as it offers an additional layer of protection by requiring users to provide at least two forms of identification.
- You should have the
cnspecinstalled. You can follow the installation instructions to set it up. - You need an AWS account and the necessary permissions to manage your resources.
- The AWS CLI should be installed and configured with your credentials.
To perform the MFA check, you can use the following command with cnspec:
cnspec scan aws --discover iam-usersThis command lists all IAM users and checks each user for enabled MFA devices. The result will be a list of usernames with their MFA status.
The output will be a list of IAM usernames with a check on whether MFA is enabled:
cnspecissues: Make sure thatcnspecis installed correctly. If you have trouble runningcnspec, try updating to the latest version or re-installing the tool.- AWS CLI: Ensure that AWS CLI is installed and configured correctly. Verify that you are using the correct AWS credentials. If you encounter permission errors, check your AWS IAM role and permissions.
- Policy execution issues: If the policy does not execute as expected, ensure that you have the necessary permissions to access all resources in your AWS account.
Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this GitHub repository. For ongoing issues or broader discussions, we invite you to join us over at our GitHub discussions page. We're here to help!