Profile Applicability:

Level 2

Description:

The AWS root user account has full administrative privileges over an AWS account. Multi-Factor Authentication (MFA) adds an extra layer of security by requiring an additional authentication factor beyond a password. For Level 2 compliance, it is recommended to use a hardware MFA device (rather than a virtual MFA) to provide enhanced security against phishing, malware, and credential theft.

Rationale:

  • Virtual MFA devices (mobile apps) introduce risks if the mobile device is lost, traded-in, or compromised.

  • Hardware MFA devices are physically separate, reducing the risk of compromise.

  • AWS root account access should be highly controlled, as a compromise could lead to complete AWS account takeover.

Impact:

  • Failure to enable hardware MFA increases the risk of AWS root account compromise through phishing or malware attacks.

  • Virtual MFA apps can be hacked, cloned, or compromised, whereas hardware MFA tokens cannot.

  • Losing root access credentials without MFA can result in account lockout and require AWS manual recovery procedures.

Default Value:

By default, AWS does not enforce MFA for the root account.

  • If MFA is configured, it is often virtual MFA (mobile-based).

  • Hardware MFA must be manually enabled by the root user.

Pre-Requisites:

  1. AWS Root User Access:

    • Only the root user can enable MFA for the root account.

  2. Hardware MFA Device:

    • Supported AWS hardware MFA devices include YubiKey, Gemalto, and HyperFIDO devices.

  3. Secure Device Storage:

    • Store the hardware MFA device securely (e.g., locked cabinet, security safe).

  4. Backup Authentication Plan:

    • Maintain a backup AWS support plan in case the MFA device is lost.

Remediation:

Test Plan:

Using AWS Console

  1. Login to AWS as the root user.

  2. Click Services → Select IAM.

                       

  1. Click Credential Report (under Access Reports).

                           

  1. Download the CSV file containing IAM credential details.

                         

  1. Verify that for <root_account>:

    • mfa_active field is set to TRUE.

  2. Check if the MFA device is hardware-based and not virtual.

Using AWS Command Line 

  • Run the following AWS CLI command to check if MFA is enabled:
aws iam get-account-summary | grep "AccountMFAEnabled"
  • If MFA is enabled, the output will show: "AccountMFAEnabled": 1

 

  • Check if the root user is using a virtual MFA device:
 aws iam list-virtual-mfa-devices
  • If the output contains the following, the root user is using virtual MFA and is non-compliant:
    "SerialNumber": "arn:aws:iam::<aws_account_number>:mfa/root-account-mfa-device"
  • If no virtual MFA devices are listed, the root user is compliant with this control.


Implementation Steps:

Using AWS Console

  1. Login to AWS as the root user.

  2. Open the IAM Console: AWS IAM Console.

                           

  1. In the Dashboard, under Security Status, click Activate MFA on your root account.

                     

  1. Click Activate MFA.

             

  1. Select A Hardware MFA Device → Click Next Step.

                     

  1. Enter the Serial Number (found on the back of the hardware MFA device).

  2. Press the button on the hardware MFA device to generate an authentication code.

  3. Enter Authentication Code 1.

  4. Wait 30 seconds and press the button again to generate the second authentication code.

  5. Enter Authentication Code 2.

  6. Click Next Step → Confirm that the MFA device is now associated

                   

Backout Plan:

If MFA is misconfigured or the hardware device is lost:

  1. Use AWS account recovery via AWS Support.

  2. Request AWS to disable MFA by verifying account ownership.

  3. Reconfigure a new hardware MFA device.

References:


CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

6.5

Require MFA for all administrative access accounts.

CIS v7

4.5

Use MFA and encrypted channels for administrative access.