CIS AWS 1.2 (Ensure MFA is enabled for all IAM users with console access) requires: All IAM users who have console access must have MFA enabled. This is a critical-severity control.

How does EchelonGraph detect CIS AWS 1.2 violations?

EchelonGraph automatically detects CIS AWS 1.2 violations using scanner rule AWS-IAM-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 1.2?

What percentage of console users have MFA enabled? Is there an IAM policy denying actions without MFA? How are new users required to enroll in MFA?

🟠CIS AWS 1.2Rule: AWS-IAM-002critical

Ensure MFA is enabled for all IAM users with console access

Description

All IAM users who have console access must have MFA enabled.

⚠️ Risk Impact

IAM users without MFA are vulnerable to password-based attacks including phishing and credential stuffing.

🔍 How EchelonGraph Detects This

AWS-IAM-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Enforce MFA via IAM policy condition: aws:MultiFactorAuthPresent.

💀 Real-World Attack Scenario

A phishing email targeted the finance team with a fake AWS login page. Three employees entered their credentials. Without MFA, the attacker accessed the AWS console and exported 6 months of billing data containing customer contact information and configuration details.

💰 Cost of Non-Compliance

Deloitte 2017: Admin account without MFA led to email exfiltration affecting 350+ clients. Average phishing-based breach cost: $4.76M. Organizations without MFA pay 23% higher cyber insurance premiums.

📋 Audit Questions

1.What percentage of console users have MFA enabled?
2.Is there an IAM policy denying actions without MFA?
3.How are new users required to enroll in MFA?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1566 — PhishingT1110 — Brute Force

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_iam_policy" "require_mfa" {
  name   = "RequireMFA"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid       = "DenyAllExceptMFASetup"
      Effect    = "Deny"
      NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"]
      Resource  = "*"
      Condition = { BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" } }
    }]
  })
}

⚡ Common Pitfalls

⛔Enforcing MFA via policy but not requiring it during initial user setup
⛔Users sharing MFA devices across accounts
⛔Not enforcing MFA for programmatic access to sensitive APIs

📈 Business Value

IAM MFA enforcement eliminates 99.9% of credential-based attacks on AWS console users. It's the most cost-effective security control available.

⏱️ Effort Estimate

Manual

2-4 hours to create policy and coordinate user enrollment

With EchelonGraph

EchelonGraph detects IAM users without MFA across all accounts

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.9.4.2

Automate CIS AWS 1.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →