AWS Directory Service directory has RADIUS-based MFA enabled
directoryservice_supported_mfa_radius_enabled
AWS Directory Service directories are evaluated for RADIUS-backed multi-factor authentication, confirming that MFA is configured and the RADIUS integration is active.
Risk
Without RADIUS MFA, directory-based sign-ins to AWS-integrated services rely on a single factor, enabling credential stuffing and phishing to succeed. Compromised passwords can grant unauthorized access, drive data exfiltration, and enable privilege escalation, undermining confidentiality and integrity.
prowler aws --checks directoryservice_supported_mfa_radius_enabled
Recommendation
Enable and enforce RADIUS-based MFA for all Directory Service authentications. Apply least privilege, harden and monitor the RADIUS infrastructure, rotate shared secrets, and restrict network access (e.g., UDP/1812). Use defense in depth with segmentation and session controls to limit lateral movement and reduce blast radius.
Remediation
aws ds enable-radius --directory-id <example_resource_id> --radius-settings '{"RadiusServers":["<RADIUS_IP_OR_DNS>"],"SharedSecret":"<SHARED_SECRET>"}'
- Sign in to the AWS Console and open Directory Service
- Select your directory and open it
- Go to the Networking & security tab
- In Multi-factor authentication, click Actions > Enable
- Enter RADIUS server IP(s) and the Shared secret, then click Enable
- Wait until the RADIUS status shows Completed
Source Code
Resource Type
Other