How to Check MFA in a Credential Report
The Need to Verify Active Use of MFA
To enhance the security of your AWS environment, you must ensure that MFA is enabled for all IAM users that have a console password. MFA is a basic tenet of data security that adds an additional layer of protection for your user accounts. In this demo, AWS expert Mike Wise will teach you how to use a credentials report to verify if MFA is enabled for your AWS users.
- From the AWS Management Console, navigate to the IAM Dashboard.
- To generate the appropriate report, go to the Credential Report section and click Download Report.
- Open the CSV file and identify the mfa_active column. If this column states TRUE for all users, this indicates that all of your AWS users have MFA enabled and cannot log into AWS without using MFA.
For a visual guide on how to generate a credentials report and check the MFA status for your AWS users, watch the full demo.
To start off, we’re going to log in to our AWS Management Console. Then, we’re going to search for “IAM”. Then, we’re going to go to “Credential Report.” We’re going to go to “Download Report.” Once you download the report, we’re going to open it up and look at the “mfa_active” column. What this column tells us is if the user has MFA enabled for their account. As we can see, for both of our users, for both our “<root_account>” user and our “IAMPolicyDemo” user, we have MFA active because it’s set to “TRUE.” This means that users will not be able to log in to the AWS Management Console without first authenticating with both their user and password and their multi-factor authentication code.