Control: 1.7 Ensure MFA is enabled for all users with a console password
Description
Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user’s identity.
With MFA enabled in the IAM service, when a user signs in to Oracle Cloud Infrastructure, they are prompted for their user name and password, which is the first factor (something that they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process.
OCI IAM supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).
See OCI documentation for more details.
Remediation
Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user but can enforce MFA by identifying the list of non-complaint users, notifying them or disabling access by resetting password for non-complaint accounts.
Disabling access from Console:
- Login to OCI console.
- Select
Identity
from Services menu. - Select
Users
from Identity menu. - Click on each non-complaint user.
- Click on
Create/Reset Password
.
From Command Line
Execute the following:
oci iam user ui-password create-or-reset --user-id <OCID of the non-compliant user>
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_1_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_1_7 --share
SQL
This control uses a named query:
identity_user_console_access_mfa_enabled