# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|aws|compliancecow||Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password|

```
Purpose: To verify if Multi-Factor Authentication (MFA) across users or roles within an AWS environment is enforced. By requiring additional authentication factors, such as a code from a mobile app or hardware token, MFAEnforced enhances security by mitigating the risk of unauthorized access to sensitive AWS resources and actions.
```
```
RecomendedEvidenceName: 	AWSMFAReport
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)


In [None]:
# AWS Example
[
      {
        "User": "johndoe",
        "ARN": "arn:aws:iam::022654265366:johndoe",
        "UserCreationTime": "2023-03-17T07:04:00+00:00",
        "PasswordEnabled": true,
        "PasswordLastUsed": "2024-03-08T05:47:36+00:00",
        "PasswordLastChanged" : "2023-03-17T07:04:00+00:00",
        "PasswordNextRotation" : "N/A",
        "MFAActive" : false,
        "AccessKey1Active" : true,
        "AccessKey1LastRotated" : "N/A",
        "AccessKey1LastUsed": "2024-03-13T06:47:00+00:00",
        "AccessKey1LastUsedRegion" : "us-west-2",
        "AccessKey1LastUsedService" : "securityhub",
        "AccessKey2Active" : true,
        "AccessKey2LastRotated" : ""
        "Accesskey2LastUsedDate": "",
        "AccessKey2LastUsedRegion" : "",
        "AccessKey2LastUsedService": "",
        "Cert1Active": "",
        "Cert1LastRotated": ""	,
        "Cert2Active": "",
        "Cert2LastRotated" : "",
        "MFADevices" : ""
      }
  ]

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:iam::022654265366:user/test-user-one",
    "ResourceName":"test-user-one",
    "ResourceType":"AwsIamUser",
    "ResourceLocation":"global",
    "ResourceTags": null,
    "ResourceURL": "https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-one",

    # Data
    "MFAEnforced":"true",

    # Compliance details
    "ValidationStatusCode":"MFA_PR",
    "ValidationStatusNotes":"MFA present",
    "ComplianceStatus":"COMPLIANT",
		"ComplianceStatusReason":"Record is compliant as MFA is enforced",
		"EvaluatedTime":"2023-12-22T07:02:57.788Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ResourceURL|MFAEnforced|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-one|test-user-one|AwsIamUser|global||https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-one|true|MFA_PR|MFA present|COMPLIANT|Record is compliant as MFA is enforced|2023-12-22T07:01:57.788Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-two|test-user-two|AwsIamUser|global||https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-two|false|MFA_NP|MFA is not enforced|NON_COMPLIANT|Record is not compliant as MFA is not enforced|2023-12-22T07:02:57.788Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-three|test-user-three|AwsIamUser|global||https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/users/details/test-user-three|true|MFA_ENFORCED|MFA is enforced|COMPLIANT|Record is compliant as MFA is enforced|2023-12-22T07:03:57.788Z|


# Step 4: Describe the Compliance Taxonomy

|MFAEnforced|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|---|
|true|MFA_PR|MFA present|COMPLIANT|Record is compliant as MFA is enforced|
|false|MFA_NP|MFA not present|NON_COMPLIANT|Record is not compliant as MFA is not enforced|

# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

The user << username >> does not have MFA. Enable MFA in aws by following the below steps:

Log in to AWS Console: Access the AWS Management Console using your credentials.

Navigate to IAM: Click on the "Services" dropdown menu and select "IAM" under "Security, Identity, & Compliance."

Select User or Role: In the IAM dashboard, choose the user or role for which you want to enforce MFA.

Access Security Credentials: Within the user or role settings, navigate to the "Security credentials" tab.

Enable MFA: Locate the "Multi-Factor Authentication (MFA)" section and click "Manage MFA."

Choose MFA Method: Select the preferred MFA method, such as "Virtual MFA device" or "Hardware MFA device."

Follow Setup Instructions: Depending on the chosen method, follow the on-screen instructions to set up MFA.

Complete Configuration: Once MFA is successfully set up, confirm and save the changes.

Verify: Test the MFA setup by logging out and logging back in, ensuring that MFA prompts for additional authentication.

Refer the document for more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

# Step 7: Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | AWSMFAReport                  |
| **PreRequisiteRuleNames**  | AWSCredentialReport           |
| **ApplicationClassName**   | AWSAppConnector               |