Skip to main content

IAM Root Account Does Not Have MFA Enabled

Overview

The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.

When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.

Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.

AWS provides a guide on various MFA options at https://aws.amazon.com/iam/features/mfa/. If your environment consists of a large number of accounts, you should consider using a Service Control Policy (SCP) in AWS Organizations to disallow actions by the root user in member accounts. If the root user for this account is already disallowed by an SCP, you can mark this issue exempt.

Vendor

AWS

Cloud Service

IAM

PCI DSS 8.3.1, PCI DSS 8.3.1

CIS AWS v1.5.0 1.5, IAM.6, IAM.9

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html, https://aws.amazon.com/iam/features/mfa/, https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html, https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-auser-actions

Severity

4

Item Types

Custom::AWS::IAM::Account