# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|AWS|AWS Security Hub|AWS|MFA Enabled for Root user|
|AWS|AWS Security Hub|AWS|Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password|
```
Purpose: To verify if Multi-Factor Authentication (MFA) across users or roles within an AWS environment is enforced. By requiring additional authentication factors, such as a code from a mobile app or hardware token, MFAEnforced enhances security by mitigating the risk of unauthorized access to sensitive AWS resources and actions.
```
RecomendedEvidenceName: MFAEnforced
```

# Step 2: Define the System Specific Data


In [None]:
# AWS Example
  [
      {
        "Action": null,
        "AwsAccountId": "022654265366",
        "CompanyName": "AWS",
        "Compliance": {
          "AssociatedStandards": [
            {
              "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
            }
          ],
          "RelatedRequirements": null,
          "SecurityControlId": "IAM.5",
          "Status": "PASSED",
          "StatusReasons": null
        },
        "Confidence": null,
        "CreatedAt": "2022-06-28T20:02:45.165Z",
        "Criticality": null,
        "Description": "Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. It is recommended that MFA be enabled for all accounts that have a console password.",
        "FindingProviderFields": {
          "Confidence": null,
          "Criticality": null,
          "RelatedFindings": null,
          "Severity": {
            "Label": "INFORMATIONAL",
            "Original": "INFORMATIONAL"
          },
          "Types": [
            "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
          ]
        },
        "FirstObservedAt": "2022-06-28T20:02:45.165Z",
        "GeneratorDetails": null,
        "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.2",
        "Id": "arn:aws:securityhub:us-east-1:022654265366:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.2/finding/f6c59904-a98b-444c-813a-5057c40e9a81",
        "LastObservedAt": "2023-12-28T00:55:51.751Z",
        "Malware": null,
        "Network": null,
        "NetworkPath": null,
        "Note": null,
        "PatchSummary": null,
        "Process": null,
        "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
        "ProductFields": {
          "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation",
          "RelatedAWSResources:0/name": "securityhub-mfa-enabled-for-iam-console-access-f730386d",
          "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
          "Resources:0/Id": "arn:aws:iam::022654265366:user/test-user-one",
          "RuleId": "1.2",
          "StandardsControlArn": "arn:aws:securityhub:us-east-1:022654265366:control/cis-aws-foundations-benchmark/v/1.2.0/1.2",
          "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
          "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:022654265366:subscription/cis-aws-foundations-benchmark/v/1.2.0",
          "aws/securityhub/CompanyName": "AWS",
          "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:022654265366:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.2/finding/f6c59904-a98b-444c-813a-5057c40e9a81",
          "aws/securityhub/ProductName": "Security Hub"
        },
        "ProductName": "Security Hub",
        "RecordState": "ACTIVE",
        "Region": "us-east-1",
        "RelatedFindings": null,
        "Remediation": {
          "Recommendation": {
            "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
            "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation"
          }
        },
        "Resources": [
          {
            "DataClassification": null,
            "Details": {
              "AwsAmazonMqBroker": null,
              "AwsApiGatewayRestApi": null,
              "AwsApiGatewayStage": null,
              "AwsApiGatewayV2Api": null,
              "AwsApiGatewayV2Stage": null,
              "AwsAppSyncGraphQlApi": null,
              "AwsAthenaWorkGroup": null,
              "AwsAutoScalingAutoScalingGroup": null,
              "AwsAutoScalingLaunchConfiguration": null,
              "AwsBackupBackupPlan": null,
              "AwsBackupBackupVault": null,
              "AwsBackupRecoveryPoint": null,
              "AwsCertificateManagerCertificate": null,
              "AwsCloudFormationStack": null,
              "AwsCloudFrontDistribution": null,
              "AwsCloudTrailTrail": null,
              "AwsCloudWatchAlarm": null,
              "AwsCodeBuildProject": null,
              "AwsDmsEndpoint": null,
              "AwsDmsReplicationInstance": null,
              "AwsDmsReplicationTask": null,
              "AwsDynamoDbTable": null,
              "AwsEc2Eip": null,
              "AwsEc2Instance": null,
              "AwsEc2LaunchTemplate": null,
              "AwsEc2NetworkAcl": null,
              "AwsEc2NetworkInterface": null,
              "AwsEc2RouteTable": null,
              "AwsEc2SecurityGroup": null,
              "AwsEc2Subnet": null,
              "AwsEc2TransitGateway": null,
              "AwsEc2Volume": null,
              "AwsEc2Vpc": null,
              "AwsEc2VpcEndpointService": null,
              "AwsEc2VpcPeeringConnection": null,
              "AwsEc2VpnConnection": null,
              "AwsEcrContainerImage": null,
              "AwsEcrRepository": null,
              "AwsEcsCluster": null,
              "AwsEcsContainer": null,
              "AwsEcsService": null,
              "AwsEcsTask": null,
              "AwsEcsTaskDefinition": null,
              "AwsEfsAccessPoint": null,
              "AwsEksCluster": null,
              "AwsElasticBeanstalkEnvironment": null,
              "AwsElasticsearchDomain": null,
              "AwsElbLoadBalancer": null,
              "AwsElbv2LoadBalancer": null,
              "AwsEventSchemasRegistry": null,
              "AwsEventsEndpoint": null,
              "AwsEventsEventbus": null,
              "AwsGuardDutyDetector": null,
              "AwsIamAccessKey": null,
              "AwsIamGroup": null,
              "AwsIamPolicy": null,
              "AwsIamRole": null,
              "AwsIamUser": {
                "AttachedManagedPolicies": null,
                "CreateDate": "2020-08-09T06:03:44.000Z",
                "GroupList": [
                  "Force_MFA",
                  "continube_admins"
                ],
                "Path": "/",
                "PermissionsBoundary": null,
                "UserId": "BACDFGHYTUISAB$",
                "UserName": "test-user-one",
                "UserPolicyList": null
              },
              "AwsKinesisStream": null,
              "AwsKmsKey": null,
              "AwsLambdaFunction": null,
              "AwsLambdaLayerVersion": null,
              "AwsMskCluster": null,
              "AwsNetworkFirewallFirewall": null,
              "AwsNetworkFirewallFirewallPolicy": null,
              "AwsNetworkFirewallRuleGroup": null,
              "AwsOpenSearchServiceDomain": null,
              "AwsRdsDbCluster": null,
              "AwsRdsDbClusterSnapshot": null,
              "AwsRdsDbInstance": null,
              "AwsRdsDbSecurityGroup": null,
              "AwsRdsDbSnapshot": null,
              "AwsRdsEventSubscription": null,
              "AwsRedshiftCluster": null,
              "AwsRoute53HostedZone": null,
              "AwsS3AccountPublicAccessBlock": null,
              "AwsS3Bucket": null,
              "AwsS3Object": null,
              "AwsSageMakerNotebookInstance": null,
              "AwsSecretsManagerSecret": null,
              "AwsSnsTopic": null,
              "AwsSqsQueue": null,
              "AwsSsmPatchCompliance": null,
              "AwsStepFunctionStateMachine": null,
              "AwsWafRateBasedRule": null,
              "AwsWafRegionalRateBasedRule": null,
              "AwsWafRegionalRule": null,
              "AwsWafRegionalRuleGroup": null,
              "AwsWafRegionalWebAcl": null,
              "AwsWafRule": null,
              "AwsWafRuleGroup": null,
              "AwsWafWebAcl": null,
              "AwsWafv2RuleGroup": null,
              "AwsWafv2WebAcl": null,
              "AwsXrayEncryptionConfig": null,
              "Container": null,
              "Other": null
            },
            "Id": "arn:aws:iam::022654265366:user/test-user-one",
            "Partition": "aws",
            "Region": "us-east-1",
            "ResourceRole": null,
            "Tags": null,
            "Type": "AwsIamUser"
          }
        ],
        "Sample": null,
        "SchemaVersion": "2018-10-08",
        "Severity": {
          "Label": "INFORMATIONAL",
          "Normalized": 0,
          "Original": "INFORMATIONAL",
          "Product": 0
        },
        "SourceUrl": null,
        "ThreatIntelIndicators": null,
        "Threats": null,
        "Title": "1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password",
        "Types": [
          "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
        ],
        "UpdatedAt": "2023-12-28T00:55:38.732Z",
        "UserDefinedFields": null,
        "VerificationState": null,
        "Vulnerabilities": null,
        "Workflow": {
          "Status": "RESOLVED"
        },
        "WorkflowState": "NEW"
      }
  ]

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:iam::022654265366:user/test-user-one",
    "ResourceName":"test-user-one",
    "ResourceType":"AwsIamUser",
    "ResourceLocation":"global",
    "ResourceTags": null,

    # Data
    "MFAEnforced":"true",

    # Compliance details
    "ValidationStatusCode":"MFA_ENFORCED",
    "ValidationStatusNotes":"MFA is enforced",
    "ComplianceStatus":"COMPLIANT",
		"ComplianceStatusReason":"Record is compliant as MFA is enforced",
		"EvaluatedTime":"2023-12-22T07:02:57.788Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|MFAEnforced|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-one|test-user-one|AwsIamUser|global||true|MFA_ENFORCED|MFA is enforced|COMPLIANT|Record is compliant as MFA is enforced|2023-12-22T07:02:57.788Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-two|test-user-two|AwsIamUser|global||false|MFA_NOT_ENFORCED|MFA is not enforced|NON_COMPLIANT|Record is not compliant as MFA is not enforced|2023-12-22T07:02:57.788Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-three|test-user-three|AwsIamUser|global||true|MFA_ENFORCED|MFA is enforced|COMPLIANT|Record is compliant as MFA is enforced|2023-12-22T07:02:57.788Z|


# Step 4: Describe the Compliance Taxonomy

|MFAEnforced|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|---|
|true|MFA_ENFORCED|MFA is enforced|COMPLIANT|Record is compliant as MFA is enforced|
|false|MFA_NOT_ENFORCED|MFA is not enforced|NON_COMPLIANT|Record is not compliant as MFA is not enforced|

# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0%>=status<100%
NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

The user << username >> does not have MFA. Enable mfa in aws by following the below steps:
Log in to AWS Console: Access the AWS Management Console using your credentials.
Navigate to IAM: Click on the "Services" dropdown menu and select "IAM" under "Security, Identity, & Compliance."
Select User or Role: In the IAM dashboard, choose the user or role for which you want to enforce MFA.
Access Security Credentials: Within the user or role settings, navigate to the "Security credentials" tab.
Enable MFA: Locate the "Multi-Factor Authentication (MFA)" section and click "Manage MFA."
Choose MFA Method: Select the preferred MFA method, such as "Virtual MFA device" or "Hardware MFA device."
Follow Setup Instructions: Depending on the chosen method, follow the on-screen instructions to set up MFA.
Complete Configuration: Once MFA is successfully set up, confirm and save the changes.
Verify: Test the MFA setup by logging out and logging back in, ensuring that MFA prompts for additional authentication.
Refer the document for more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

# 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | AWSMFAReport                  |
| **PreRequisiteRuleNames**  | AWSCredentialReport           |
| **ExtendedSchemaRuleNames**| AWSCredentialReport           |
| **ApplicationClassName**   | AWSAppConnector               |
| **PostSynthesizerName**    | linkrecords                   |