Test: MFA on Infrastructure Console

ASSOCIATED DRATA CONTROL

This test is part of the MFA on Accounts control that ensures Multi-Factor Authentication (MFA) is being required for access to any sensitive systems or applications. Drata will verify that in order to log in to your company Infrastructure Management Console a user needs to provide their ID, a password, and then either a One-Time Password (OTP) or certificate.

WHAT TO DO IF A TEST FAILS

If Drata finds that there are infrastructure accounts that do not have MFA enabled the test will fail. With a failed test you will receive a list of users that do not have MFA enabled on their account.

STEPS FOR PASSING

To ensure a validated state when testing for MFA on the Infrastructure Console, please follow the steps listed in the table below. In certain cases, the individual failing users will need to modify their account MFA implementation. Once the provider steps have been completed, the next nightly user sync will pick up the changes and rerun the test to show the latest results.

Provider / Technology	Provider Steps
Atlas MongoDB	Atlas' API does not expose user MFA details. As a result, all records on the Managed Accounts page will show as failing MFA. In addition, monitoring test 88 - MFA on Infrastructure Console will show these users as failing. They will need to be excluded. If Atlas is the only connected infrastructure connection, this test can be disabled.
AWS - IAM	Within AWS, go to the IAM service Go to Users Add user, add to any user group Save user Then, as the new IAM user: Login Turn on MFA
Azure - Users	Login to `portal.azure.com` with Office 365 credentials Create user with Office 365 email Users created in this way are associated with Office 365 AND Azure Click "Authentication Methods", then require re-register MFA in top panel Then, as the new user: Login Turn on MFA This may take a few hours to propagate within Azure. Note: Drata also supports pulling MFA when Conditional Access Policies or Security Defaults are in place. This does require that Microsoft 365 be used as your IdP connection. Please reach out to our Technical Support team if you need more guidance.
Cloudflare - Users	Within Cloudflare, select an account Navigate to the members page Turn ON the “Member 2FA enforcement” (This will require invited members to enable their MFA when they accepted the invitation) Invite members. (Enter email address) Click the invite button Note: You will need to make sure that an Admin has connected both the IDP and Cloudflare to Drata.
GCP - IAM	Accounts within GCP must also be added to Google Workspace (GW, fka GSuite). To Add a User to GW and GCP Log in to GW and add the account Log in to GCP IAM and add the member that was created in GW Make sure this user has MFA enabled in GW Navigate to the Connections screen in Drata and connect to GW and GCP *NOTE: please follow the "Before Diving In" section of the GCP Connection Details article to ensure Drata can automatically pull MFA for GCP users* Navigate to the Manage Infrastructure Accounts page (filtered to clientType=GCP) Verify the account has been added Verify the user shows as having MFA enabled
Heroku	Log into Heroko Go to Account Settings Click 'Setup Multi-Factor Authentication' Click 'Add' to choose the desired MFA authentication method and follow the on-screen instructions' Click 'Done' to finish the setup Ensure you receive the confirmation email NOTE: ensure the user making the Heroku connection is part of an Enterprise Team, and that global permissions have been granted to the Drata OAuth application. This will allow Drata to pull MFA for both enterprise and standard team members.

HELPFUL RESOURCES