IAM user with Console access does not have MFA







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Multi-factor authentication (MFA) is one of the most impactful and strongest controls an account owner can put in place to mitigate the potential impact of an access key leak. Proliferating IAM users without MFA creates a risk that any single credential leak could allow an attacker to have full knowledge of how to access the account.

Understanding Impact

Business Impact

IAM users with a Console access that do not have multi-factor authentication (MFA) are a risk. Many compliance frameworks require MFA for 100% of users.

Often, certain systems such as CI/CD or service accounts will proliferate IAM users acting as machines. Consider adoption of technologies like AWS IAM Role Anywhere or use the metadata proxy if running in the AWS Cloud.

Technical Impact

IAM users with Console access that do not have MFA enabled are considered risky. An attacker can perform credentials stuffing, brute force, or social engineering attacks to compromise it.

Given the impactful nature of continuously auditing MFA, keeping metrics on adoption, and surfacing reports back to teams can help in keeping this misconfiguration to near zero or zero.

Identify affected resources

The easiest way to identify IAM users who have Console access without MFA is to generate an IAM credential report.

aws iam generate-credential-report

Then, retrieve the credential report. The report is returned as a CSV file, Base64-encoded.

aws iam get-credential-report --query Content --output text | base64 -d

Vulnerable users are ones with password_enabled set to true and mfa_active set to false.

You can also identify vulnerable users using the following command:

aws iam get-credential-report --query Content --output text \
| base64 -d \
| awk -F, '{ if ($4 == "true" && $8 == "false") { print $2 } }'

Remediate vulnerable resources

Remove the IAM user, disable the user's console access, or enable MFA for the user.

You can also enforce MFA for all IAM users.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this vulnerability using the out-of-the-box rule "Datadog Cloud SIEM Rule | Detect when a user logs in to your AWS console without multi-factor authentication.".


Using multi-factor authentication (MFA) in AWS

aws documentation

Configure MFA device enforcement

aws documentation

Did you find this article helpful?