IAM group members granted AdministratorAccess have MFA enabled
iam_administrator_access_with_mfa
IAM groups with the AdministratorAccess managed policy are assessed to ensure all member users have active MFA.
The finding highlights any administrator group that includes a user without MFA enrollment or activation.
Risk
Admin users without MFA are vulnerable to single-factor compromise. Stolen or guessed credentials can yield full control, enabling privilege escalation, policy changes, data exfiltration, and destructive operations, impacting confidentiality, integrity, and availability.
prowler aws --checks iam_administrator_access_with_mfa
Recommendation
Enforce MFA for all administrator identities.
- Add conditions (e.g.,
aws:MultiFactorAuthPresent) to privileged permissions - Prefer hardware/FIDO2 devices
- Apply least privilege and favor roles/SSO over users
- Continuously monitor MFA status and remove unused admin access
Remediation
aws iam detach-group-policy --group-name <IAM_GROUP_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
- In the AWS Console, go to IAM > User groups and open the group that has the AdministratorAccess policy.
- Note the users listed in the group. For each user, open IAM > Users > <user>.
- On the Security credentials tab, under Multi-factor authentication (MFA), select Assign MFA device.
- Choose Authenticator app (or a security key), follow the prompts, enter the two MFA codes, and click Add MFA.
- Repeat for all users in the group. Verify in IAM > Credential report that mfa_active is true for each user.
Source Code
Resource Type
AwsIamGroup