Profile Applicability

  • Level 1

Description:

The root user account in AWS should have hardware multi-factor authentication (MFA) enabled to enhance the security of the account. Hardware MFA provides a more robust and tamper-resistant form of authentication compared to software-based MFA, making it more suitable for securing highly privileged accounts like the root user.

AWS allows you to configure hardware MFA devices such as a physical key fob or other hardware tokens. These devices generate a one-time password (OTP) that must be entered along with the root password to access the AWS account.

Rationale:

The root user has full access to all AWS services and resources, making it a prime target for attackers. Enabling hardware MFA on the root account ensures that access requires a physical device, which makes it significantly harder for attackers to gain unauthorized access—even if they have compromised the root user password. This is a critical security control to help mitigate the risk of account compromise.

Impact:

Failure to enable hardware MFA on the root account exposes the AWS environment to higher security risks, such as:

  • Unauthorized access to all resources if the root password is compromised

  • Increased susceptibility to phishing and credential theft attacks

  • Difficulty in defending against account takeover attempts

Default Value:

MFA is not enabled by default for the root user. It must be manually configured in the AWS Management Console or via the AWS CLI. Hardware MFA is an optional but highly recommended form of MFA.

Pre-Requisites:

  • AWS root account access

  • A compatible hardware MFA device (e.g., Yubikey or other FIDO U2F tokens)

  • Access to AWS Management Console

  • Administrative permissions to configure MFA for the root user

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using the root user

  2. Navigate to IAM Console → Users

  3. In the left-hand menu, select Security Credentials

  4. Under Multi-Factor Authentication (MFA), ensure that a hardware MFA device is listed and enabled for the root user

Using AWS CLI:

aws iam list-mfa-devices --user-name root

Ensure the output lists a hardware MFA device for the root user.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console with the root user

  2. Go to My Account → IAM Console → Security Credentials

  3. Under the Multi-Factor Authentication (MFA) section, click Activate MFA

  4. Select Hardware MFA device

  5. Follow the instructions to configure the hardware device, which will involve scanning the device and verifying OTPs from the hardware token

  6. Once successfully activated, the MFA device will be listed as enabled for the root user

Using AWS CLI:
 To enable hardware MFA, follow these steps:

  1. Set up the hardware MFA device (e.g., Yubikey)

  2. Use the following CLI command to enable the hardware MFA for the root user:

aws iam enable-mfa-device \

  --user-name root \

  --serial-number arn:aws:iam::aws:policy/SomeMFAArn \

  --authentication-code1 <first-MFA-code> \

  --authentication-code2 <second-MFA-code>

Replace <first-MFA-code> and <second-MFA-code> with the first and second authentication codes generated by the hardware device.

Backout Plan:

If enabling hardware MFA on the root account causes issues with access:

  1. Sign in to the AWS Console with the root user and the hardware MFA device

  2. Disable the hardware MFA device under Security Credentials

  3. Investigate if any applications or processes depend on root user access without MFA

  4. Re-enable hardware MFA once these dependencies are addressed

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.3

Ensure that multi-factor authentication (MFA) is enabled for all privileged users

CIS v7

4.6

Ensure hardware MFA is enabled for the root account in AWS