iCompaas Support

Profile Applicability:
Level 2

Description:
This control ensures that the AWS root account is protected using a hardware multi-factor authentication (MFA) device rather than a virtual MFA device. Hardware MFA provides an additional physical layer of security that cannot be easily cloned or compromised, offering stronger protection for the most privileged account in AWS.

Rationale:
The root account has unrestricted administrative privileges, including the ability to delete resources, modify billing, and disable security configurations. Using a hardware MFA device (such as a YubiKey or Gemalto token) minimizes the risk of unauthorized access resulting from credential theft, phishing, or device compromise. Unlike virtual MFA apps, hardware MFA devices are not susceptible to malware, cloning, or mobile device loss. This control aligns with high-security standards in compliance frameworks like CIS Level 2, ISO 27001, SOC 2, and NIST 800-53.

Impact:
Positive Impact: Greatly improves the security of the AWS root account by providing the strongest form of MFA authentication, reducing the risk of compromise.
Negative Impact: Hardware MFA devices involve additional costs and may require secure handling and storage processes to prevent loss.

Default Value:
By default, MFA is not enabled for the root account, and AWS does not enforce the use of hardware MFA.

Pre-Requisite:

• Physical hardware MFA device (e.g., YubiKey or Gemalto token).

• Root account credentials for setup.

• IAM permissions are not sufficient; this must be performed using the root account.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console using the root account credentials.

2. Go to the upper-right corner of the console, choose your account name, and select Account.

3. Under Security credentials, locate the Multi-factor authentication (MFA) section.

4. Verify that MFA is enabled and the device type is listed as “Hardware MFA device.”

5. If MFA is not enabled or is set to a “Virtual MFA device,” the root account is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Sign in to the AWS Management Console as the root user.

2. Navigate to My Security Credentials.

3. Expand the Multi-factor authentication (MFA) section.

4. Click Activate MFA.

5. Choose Hardware MFA device and click Continue.

6. Enter the serial number of the hardware MFA token.

7. Follow the prompts to complete the setup by entering the authentication codes generated by the device.

8. Click Assign MFA to finalize the configuration.

9. Verify that the hardware MFA device is successfully activated by logging out and signing back in using the root credentials and the hardware token code.
   
   

Backout Plan:

1. If the hardware MFA device is lost or fails, follow AWS account recovery procedures to deactivate and replace it.

2. Go to My Security Credentials under the root account and choose Deactivate MFA device, then assign a new hardware MFA device immediately.
   
   

References:

• AWS Root Account MFA Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.12

• AWS Security Best Practices Whitepaper

• NIST SP 800-63B – Digital Identity Guidelines