Control: 1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password
Description
Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user logs on to Alibaba Cloud, they will be prompted for their user name and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all users that have a console password.
Remediation
From Console
Perform the following to determine if an MFA device is enabled for all RAM users having a console password:
- Logon to RAM console.
- Choose
Identities > Users
. - In the
User Logon Name/Display Name
column, click the username of each RAM user. - In the
Console Logon Management
section, clickModify Logon Settings
. - Select
Enabled for Console Password Logon
, andRequired for Enable MFA
.
- Note: After you select
Enabled for Console Password Logon
, andRequired for Enable MFA
when modifying the logon settings of a RAM user, the user can go tostep 7
when logging on to the RAM console for the first time.
- In the MFA Device section, click
Enable the device
. - Download and install Google Authenticator on your mobile phone.
- For iOS: Install Google Authenticator from the App Store.
- For Android: Install Google Authenticator from the Google Play Store.
- Note: You need to install a QR code scanner from the Google Play Store for Google Authenticator to identify QR codes.
- Open Google Authenticator and tap
BEGIN SETUP
.- Tap Scan barcode and scan the QR code displayed on the
Scan the code
tab in the console. - Tap
Manual entry
, enter the username and key, and then tap thecheck mark (√)
icon.
- Tap Scan barcode and scan the QR code displayed on the
- Note: You can obtain the username and key from the
Retrieval manually enter information
tab in the console.
- On the
Scan the code
tab, enter the two consecutive security codes obtained from Google Authenticator and clickEnable
.
- Note: The security code is refreshed at an interval of 30 seconds.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_1_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_1_4 --share
SQL
This control uses a named query:
ram_user_console_access_mfa_enabled