Skip to main content

IAM Root Account Should Have MFA or No Credentials

Overview

The 'root' user account is the most privileged user in an AWS account. This check ensures the root user is properly secured through one of two acceptable configurations:

  1. MFA Enabled: Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.

  2. No Credentials: The root user has no password and no access keys, effectively disabling direct access. This is often the preferred approach for security-conscious organizations.

Important Security Note: MFA only protects console access, not programmatic access via access keys. Root user access keys can bypass MFA entirely.

When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.

AWS provides a guide on various MFA options at https://aws.amazon.com/iam/features/mfa/. If your environment consists of a large number of accounts, you should consider using a Service Control Policy (SCP) in AWS Organizations to disallow actions by the root user in member accounts. If the root user for this account is already disallowed by an SCP, you can mark this issue exempt.

Vendor

AWS

Cloud Service

IAM

PCI DSS 8.3.1, PCI DSS 8.3.1

CIS AWS v1.5.0 1.5, IAM.6, IAM.9

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html, https://aws.amazon.com/iam/features/mfa/, https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html, https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-auser-actions

Severity

4

Item Types

Custom::AWS::IAM::Account