Profile Applicability

  • Level 1

Description:

Multi-factor authentication (MFA) should be enabled for the root user account to add an additional layer of security. The root user account is highly privileged, and enabling MFA ensures that access requires both a password and a second form of authentication, such as a hardware or virtual MFA device. This significantly reduces the risk of unauthorized access in the event that the root user password is compromised.

Rationale:

The root user has full access to all AWS services and resources, making it a high-value target for attackers. Enabling MFA for the root user helps protect the account from unauthorized access, even if an attacker manages to acquire the root user's password. This is a critical step in securing the AWS account and following AWS security best practices.

Impact:

Failure to enable MFA on the root user account leaves the AWS account vulnerable to unauthorized access, even with the correct root password. If the root password is compromised, an attacker can access, modify, or delete all AWS resources without additional barriers. Enabling MFA mitigates this risk.

Default Value:

MFA is not enabled by default for the root user. It must be manually configured via the AWS Management Console.

Pre-Requisites:

  • AWS CLI installed and configured (for command-line operations)

  • Access to the AWS Management Console with root user permissions

  • A compatible MFA device (e.g., a hardware token or an MFA app like Google Authenticator or Authy)

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using the root user

  2. Navigate to IAM Console → Users

  3. In the left-hand menu, click Security Credentials

  4. Under the Multi-Factor Authentication (MFA) section, ensure that an MFA device is listed and is marked as enabled

Using AWS CLI:

aws iam list-mfa-devices --user-name root

Ensure the output lists an MFA device for the root user.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console with the root user

  2. In the top-right corner, click My Account

  3. In the IAM Console, navigate to Security Credentials

  4. Under Multi-Factor Authentication (MFA), click Activate MFA

  5. Follow the on-screen instructions to associate an MFA device (either virtual or hardware) with the root account

  6. Complete the MFA setup and confirm that it is successfully activated

Using AWS CLI:
 To enable MFA, follow these steps:

  1. Set up an MFA device (e.g., Google Authenticator or a hardware token)

  2. Use the following CLI command to enable MFA for the root user:

aws iam enable-mfa-device \

  --user-name root \

  --serial-number arn:aws:iam::aws:policy/SomeMFAArn \

  --authentication-code1 <first-MFA-code> \

  --authentication-code2 <second-MFA-code>

Replace <first-MFA-code> and <second-MFA-code> with the first and second authentication codes generated by the MFA device.

Backout Plan:

If enabling MFA for the root user causes issues with access:

  1. Sign in to the AWS Console with the root user and the MFA device

  2. Disable the MFA device under Security Credentials

  3. Investigate any application or script dependencies that require root access without MFA

  4. Re-enable MFA once the issues are resolved

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.3

Ensure that multi-factor authentication (MFA) is enabled for all privileged users

CIS v7

4.6

Ensure MFA is enabled for the root account in AWS