Checks whether multi-factor authentication (MFA) is enabled for logons by Resource Access Management (RAM) users. A RAM user is considered non-compliant if MFA is not enabled.
Scenarios
Verifying that MFA is enabled for logons by RAM users is an essential part of enterprise security. This practice reduces security risks by ensuring that only users who pass strict identity verification can perform critical operations and access sensitive data.
Risk level
Default risk level: High.
You can change the risk level as needed.
Detection logic
This rule checks whether MFA is enabled for logons by RAM users. A RAM user is considered non-compliant if MFA is not enabled.
Rule details
Parameter | Description |
Rule name | Check whether MFA is enabled for RAM user logons |
Rule identifier | |
Automatic remediation | Not supported |
Trigger type | Configuration changes |
Supported resource types | ACS::RAM::User |
Input parameters | None |
Remediation
For more information, see Attach an MFA device to a RAM user.