Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

1.2 Identity and Access Management (AWS CIS Benchmark).


Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will not only be prompted to enter their username and password but also an authentication code from their AWS linked MFA device.

It is recommended that MFA be enabled for all accounts that have a console password.

Enable MFA via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

Step 2. In the navigation pane, click on Users.

Step 3. In the "User Name" list, choose the name of the intended MFA user.

Step 4. Select the "Security Credentials" tab, and then click on Manage MFA Device.

Step 5. In the "Manage MFA Device" wizard, click on A virtual MFA device, and then click on Next Step.