Hardware MFA for root account is not enabled
Description
The root account is the most privileged user in an AWS account. Multi-Factor Authentication (MFA) provides an additional layer of security beyond the username and password. With MFA enabled, users are prompted to enter their username, password, and an authentication code from their AWS MFA device when signing in to an AWS service.
It is recommended to protect the root account with Level 2 hardware MFA, as it offers a reduced attack surface compared to virtual MFA. For instance, hardware MFA devices do not inherit the security risks associated with the mobile smartphone on which a virtual MFA is typically hosted.
📘 Note
Implementing hardware MFA across multiple AWS accounts may present logistical challenges in device management. In such cases, consider applying this recommendation selectively: use Level 2 MFA for the highest-security AWS accounts, and apply Level 1 MFA for the remaining accounts.
Fix - Runtime
AWS Console
To establish a hardware MFA for the root account, follow these steps:
- Log in to the AWS Management Console as a Root user at https://console.aws.amazon.com/.
- Open the Amazon IAM console.
- Select Dashboard and under Security Status on your root account expand Activate MFA.
- Select Activate MFA.
- In the wizard, select a hardware MFA device, then select Next Step.
- In the Serial Number box, enter the serial number found on the MFA device.
- In the Authentication Code 1 box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
- Wait 30 seconds while the device refreshes the code.
- Enter the next six-digit number into the Authentication Code 2 box. You might need to press the button on the front of the device again to display the second number.
- Select Next Step. The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.