aws_05_mfa_console_users.py
AWS-01 covers the root account. This check covers everyone else. An organisation can enforce root MFA and still have twenty developers, three analysts, and two DBAs logging into the console with nothing but a password. One phished credential, one leaked .env file in a public repository, or one reused password from a breached service is enough. Console access without MFA is an open door — the question is only whether anyone walks through it.
You are three weeks into a DORA technical resilience assessment for a EU-regulated financial entity. Article 9 requires strong authentication for access to ICT systems. You run this script across the client's three AWS accounts. Main production account: PASS. DR account: FAIL — two users with console access have no MFA device assigned, one of whom has admin-level permissions. Both findings require immediate remediation as a condition of the assessment sign-off.
aws_05_mfa_console_users.py enumerates all IAM users, identifies those with a console login profile, and checks whether each has at least one MFA device assigned. Users without a login profile are excluded — they have no console surface to protect. The output includes a per-user table showing MFA device count alongside PASS or FAIL, making it suitable as a direct workpaper attachment.
Regulation coverage: NIST CSF PR.AC-7 | SOX ITGC AC-05 | PCI DSS 8.5 | ISO 27001 A.9.4.2 | FFIEC CAT | DORA Art.9
Prerequisites: pip install boto3 · iam:ListUsers · iam:GetLoginProfile · iam:ListMFADevices · sts:GetCallerIdentity
# Install dependency $ pip install boto3 # Run with default credentials $ python3 aws_05_mfa_console_users.py # Named profile $ python3 aws_05_mfa_console_users.py --profile my-audit-role # Save JSON evidence $ python3 aws_05_mfa_console_users.py --profile my-audit-role --save # JSON only — for pipeline use $ python3 aws_05_mfa_console_users.py --json-only | jq .failing_users
Scope 4 total users · 3 with console access · 0 failing ✓ RESULT: PASS Console user MFA status ──────────────────────────────────────────────────────────── Username MFA devices Result ──────────────────────────────────────────────────────────── alice.admin 1 ✓ PASS bob.ops 2 ✓ PASS carol.dev 1 ✓ PASS Finding All 3 IAM users with console access have at least one MFA device assigned.
Scope 4 total users · 3 with console access · 2 failing ✗ RESULT: FAIL Risk Rating HIGH Console user MFA status ──────────────────────────────────────────────────────────── Username MFA devices Result ──────────────────────────────────────────────────────────── alice.admin 1 ✓ PASS bob.ops 0 ✗ FAIL carol.dev 0 ✗ FAIL Finding 2 of 3 console-enabled IAM users have no MFA device assigned: bob.ops, carol.dev. These accounts can be accessed with a password alone. Remediation IAM → Users → [username] → Security credentials → Assign MFA. Consider aws:MultiFactorAuthPresent condition to enforce at policy level.
Regulation map
| Framework | Control / Clause | Obligation |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Authentication must be proportionate to the risk of the access granted. Console access without MFA fails this standard. |
| SOX ITGC | AC-05 | All human users with access to financial systems must authenticate using multi-factor methods. |
| PCI DSS v4.0 | 8.5 | MFA is required for all non-console access into the CDE and all remote access to the cardholder data environment. |
| ISO 27001:2022 | A.9.4.2 | Secure log-on procedures must use multi-factor authentication where technically feasible for sensitive systems. |
| FFIEC CAT | Baseline — IAM | Multi-factor authentication is a baseline requirement for all privileged and remote access to institution systems. |
| DORA (EU) | Article 9 | Financial entities must implement strong authentication for all access to ICT production environments. |
Feedback welcome: Corrections, ideas, and requests — grcguy@rtapulse.com.
Request an addition