Users with Console Access do not have MFA Enabled

Risk Level

Hazardous (3)

Compliance Frameworks
  • ,
  • AWS Foundational Security Best Practices Controls
  • ,
  • CCPA
  • ,
  • ,
  • FedRAMP
  • ,
  • GDPR
  • ,
  • ,
  • ISO/IEC 27001
  • ,
  • New Zealand Information Security Manual
  • ,
  • NIST 800-53
  • ,
  • ,
  • Orca Best Practices
  • ,
  • ,
  • SOC 2

About AWS Management Console

AWS Management Console is a web application that gives users all the controls they need to manage their AWS resources. All AWS services are accessible, including compute, storage, governance, security, and analytical services.

Before you can access the AWS console, you have to log in to your AWS account.

Cloud Risk Description

If only a username and password are required to log in to the AWS console, brute force attacks can potentially enable malicious actors to acquire such credentials and gain unauthorized access. During a brute force attack, a malicious actor repeatedly tries different password combinations until they find the right one.

Since the console provides direct access to critical resources and services, it’s important to secure its login procedure using multi-factor authentication (MFA). MFA adds an extra layer of authentication assurance beyond traditional credentials, reducing the risk of unauthorized access. 

When a user logs in with MFA enabled, they’re prompted for their username and password—as well as an authentication code from their physical or virtual MFA token. It’s recommended MFA be enabled for all accounts having a console password.

How Can Orca Help?

Orca detects cloud IAM risks and generates an alert if a console user does not have the requisite MFA (see screenshot). 

Orca ensures that cloud password policy settings meet industry guidelines pertaining to MFA use, minimum password length, use of special characters, password age, password reuse, and more.


Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.