IAM Root Account Uses Virtual MFA

Overview

The root user for this AWS account has a virtual Multifactor Authentication (MFA) token configured. You may want to replace this with a physical device to enhance security.

There are a few reasonable approaches to securing a root user in an AWS account, depending on the size and complexity of your environment. Although compliance standards like CIS may recommend only using hardware MFA, this is not necessarily the best option for large, modern cloud deployments. As detailed below we recommend Service Control Policies instead of hardware MFA, and SCPs or well-secured virtual MFA can be considered an effective compensating control.

If your environment consists of a single AWS account, or a small handful of accounts, you should consider using a hardware token for MFA with root users. A Yubikey using U2F is typically a good choice and offers resilience against phishing / social engineering attacks compared to tokens where you enter a temporary security code. AWS provides a guide on various MFA options at https://aws.amazon.com/iam/features/mfa/

If your environment consists of a large number of accounts, you should consider using a Service Control Policy (SCP) in AWS Organizations to disallow actions by the root user in member accounts. If the root user for this account is already disallowed by an SCP, you can mark this issue exempt.

Vendor

AWS

Cloud Service

IAM

PCI DSS 8.3.1

CIS AWS v1.5.0 1.6, IAM.6

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html, https://aws.amazon.com/iam/features/mfa/, https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html, https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-auser-actions

Severity

Item Types

AWS::IAM::VirtualMFADevice

Overview​

Vendor​

Cloud Service​

Related Requirements​

Related Controls​

References​

Severity​

Item Types​