Profile Applicability:

Level 1

Description:

The AWS root user account has full administrative privileges in an AWS account. Multi-Factor Authentication (MFA) provides an additional security layer beyond just a password, requiring a time-sensitive authentication code from an MFA device to log in. AWS strongly recommends enabling MFA for the root user to prevent unauthorized access.

Rationale:

  • Reduces attack risk: Even if the root password is compromised, an attacker cannot log in without the MFA code.

  • Protects against phishing and brute-force attacks.

  • Required for compliance: Many security standards (e.g., CIS, SOC 2, ISO 27001) mandate MFA for privileged accounts.

Impact:

  • Failure to enable MFA on root user increases the likelihood of account takeover in case of password leaks.

  • Compromised root credentials can result in complete AWS account compromise, leading to data breaches, financial loss, and legal repercussions.

Default Value:

By default, AWS does not enable MFA for the root account. It must be manually configured by the root user.

  1. AWS Root User Access:

    • Only the root user can enable MFA on the root account.

  2. MFA Device:

    • Virtual MFA (Recommended): Use an authenticator app like Google Authenticator, Microsoft Authenticator, or AWS Virtual MFA.

    • Hardware MFA (More Secure): Use a physical MFA device (e.g., YubiKey, Gemalto).

  3. Secure Backup Strategy:

    • Document and securely store recovery options if the MFA device is lost.

Remediation:

Test Plan:

Using AWS Console

  1. Log in to the AWS Management Console.

  2. Click Services → Select IAM.

                     

  1. Click Credential Report (under Access Reports).

                           

  1. This will download a CSV file containing IAM credential details.                  

  2. Open the file and verify that for <root_account>: mfa_active field is set to TRUE.


Using AWS Command Line

Run the following AWS CLI command:

 aws iam get-account-summary | grep "AccountMFAEnabled"

 If MFA is enabled, the output will show:   "AccountMFAEnabled": 1

  • If the output shows "0", MFA is not enabled and must be configured.

Implementation Steps:

Using AWS Console 

  1. Log in to AWS as the root user.

  2. Open the IAM Console: AWS IAM Console.

  3. In the Dashboard, under Security Status, click Activate MFA on your root account.

                           

             

  1. Click Activate MFA.                             

  2. Choose A Virtual MFA Device or A Hardware MFA Device → Click Next Step.

  3. Scan the QR Code using an MFA app (Google Authenticator, Microsoft Authenticator, or AWS Virtual MFA).

  4. Enter two consecutive MFA codes from the app.

                         

  1. Click Assign Virtual MFA.

                         

Using AWS Command Line

Run the following command to enable MFA for the root user:

aws iam enable-mfa-device --user-name root --serial-number <mfa-serial> --authentication-code-1 <code1> --authentication-code-2 <code2>

  1. Replace placeholders:

    • <mfa-serial>: The ARN of the MFA device.

    • <code1>, <code2>: Two consecutive codes from the MFA device.

  • Verify MFA activation with:
 aws iam get-account-summary | grep "AccountMFAEnabled"

Backout Plan:

If MFA is misconfigured or the device is lost:

  1. Use AWS account recovery via security questions or contact AWS Support.

  2. Login using an MFA backup device (if configured).

  3. Disable MFA and reconfigure it with a new device.

References:


CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

6.5

Require MFA for all administrative access accounts.

CIS v7

4.5

Use MFA and encrypted channels for administrative access.