Users Should Have Multi-Factor Authentication (MFA/2SV)

Make sure these users have MFA activated. Depending on the provider and the service you use, check out the following resources:

AWS

Perform the following to enable MFA:

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. In the User Name list, choose the name of the intended MFA user.
4. Choose the Security Credentials tab, and then choose Manage MFA Device.
5. In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.

IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.

1. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
2. Determine whether the MFA app supports QR codes, and then do one of the following:

• Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
• In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.

When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.

Forced IAM User Self-Service Remediation

Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.

How to Delegate Management of Multi-Factor Authentication to AWS IAM Users

References:

1. http://tools.ietf.org/html/rfc6238
2. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
3. CCE-78901-6
4. CIS CSC v6.0 #5.6, #11.4, #12.6, #16.11

Azure

Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.

Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Microsoft Entra ID:

• Common Conditional Access policy: Require MFA for administrators
• Plan a Microsoft Entra multifactor authentication deployment
• Configure Microsoft Entra multifactor authentication settings

Google Cloud

MFA, or 2-step verification (2SV) as presented by Google, can only be enabled by each user individually. You and your users play important roles in setting up 2-Step Verification (2SV). Your users can choose their 2SV method, or you can enforce a method for certain users or groups in your organization. For example, you can require a small team in Sales to use security keys.

Step 1: Notify users of 2-Step Verification deployment

Before deploying 2SV, communicate your company's plans to your users, including:

• What 2SV is and why your company is using it.
• Whether 2SV is optional or required.
• If required, give the date by which users must turn on 2SV.
• Which 2SV method is required or recommended.

Step 2: Allow users to turn on 2-Step Verification

User accounts created before December 2016 have 2SV on by default.

Let users turn on 2SV and use any verification method.

1. In your Admin Console, go to Security > Authentication > 2-step verification.
2. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
3. Check the Allow users to turn on 2-Step Verification box.
4. Select Enforcement > Off.
5. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

Step 3: Enforce 2-Step Verification (Optional)

Before you begin: Make sure users are enrolled in 2SV.

1. In your Admin Console, go to Security > Authentication > 2-step verification.
2. For Enforcement, choose an option:

• On - Starts immediately.
• Turn on enforcement from date - Select the start date. Users see reminders to enroll in 2SV when they sign in. When using the On from date option, enforcement will start within 24-48 hours of the chosen date. If you want a precise enforcement start time, use the On option.

1. (Optional) To give new employees time to enroll before enforcement applies to their accounts, for New user enrollment period, select a timeframe from 1 day to 6 months. During this period, users can sign in with just their passwords.
2. (Optional) To let users avoid repeated 2SV checks on trusted devices, under Frequency, check the Allow user to trust the device box. The first time a user signs in from a new device, they can check a box to trust their device. Then the user isn't prompted for 2SV on the device unless the user clears their cookies or revokes the device or you reset the user's sign-in cookie.

References

• Google Workspace Help - Deploy 2-Step Verification

Alibaba

Via the management console

1. Login to the RAM Console
2. Under Identities, choose Users
3. In the User Logon Name/Display Name column, click the username of each RAM user
4. In the Console Logon Management section, click Modify Logon Settings
5. Select Enabled for Console Password Logon, and Required for Enable MFA

Note: After you select Enabled for Console Password Logon, and Required for Enable MFA when modifying the logon settings of a RAM user, the user can go to step 7 when logging on to the RAM console for the first time.

1. In the MFA Device section, click Enable the device
2. Download and install Google Authenticator on your mobile phone

• For iOS: Install Google Authenticator from the App Store.
• For Android: Install Google Authenticator from the Google Play Store.

Note: You need to install a QR code scanner from the Google Play Store for Google Authenticator to identify QR codes.

1. Open Google Authenticator and tap BEGIN SETUP

• Tap Scan barcode and scan the QR code displayed on the Scan the code tab in the console.
• Tap Manual entry, enter the username and key, and then tap the check mark (√) icon.

Note: You can obtain the username and key from the Retrieval manually enter information tab in the console.

1. On the Scan the code tab, enter the two consecutive security codes obtained from Google Authenticator and click Enable.

Note: The security code is refreshed at an interval of 30 seconds. For more information, see Enable an MFA device for a RAM user.

Okta

Depending on your security requirements, you might want to enforce MFA at the organization level requiring users to authenticate using multiple factors when accessing the Okta Dashboard, at the application level requiring users to go through MFA when accessing a certain application, or both. You can read more in the Okta documentation.

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
• Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
• Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
• Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

• Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.