Profile Applicability:
Level 1
Description:
This control ensures that Multi-Factor Authentication (MFA) is enabled for the AWS root account. The root account is the most privileged identity in an AWS account and has unrestricted access to all resources and services. Enabling MFA provides an additional layer of protection by requiring a second verification factor, reducing the risk of account compromise even if the root account password is exposed.
Rationale:
The AWS root account has complete administrative control and cannot be restricted by IAM policies. If compromised, it can lead to catastrophic consequences such as unauthorized resource deletion, data exposure, and account hijacking. Enabling MFA ensures that authentication requires both something you know (the password) and something you have (a physical or virtual MFA device). This aligns with best practices and compliance frameworks including CIS, SOC 2, ISO 27001, and NIST 800-53, all of which mandate strong authentication for highly privileged accounts.
Impact:
Positive Impact: Significantly enhances account protection against unauthorized access by adding an extra verification layer for root credentials.
Negative Impact: Requires secure storage and management of MFA devices; loss of an MFA device may cause temporary login delays until it is reset.
Default Value:
By default, MFA is not enabled on the AWS root account after account creation.
Pre-Requisite:
AWS root account credentials.
An MFA device (either a virtual MFA app like Google Authenticator/Authy or a hardware MFA device such as a YubiKey).
Test Plan
Using AWS Console:
Sign in to the AWS Management Console using the root account credentials.
Click on the account name (top right corner) → Account.
Under Security credentials, locate the Multi-factor authentication (MFA) section.
If it shows MFA not enabled, the root account is non-compliant.
If MFA enabled appears with the MFA device type (virtual or hardware), the account is compliant.
Implementation Plan
Using AWS Console:
Sign in to the AWS Management Console as the root user.
Navigate to My Security Credentials (from the drop-down under your account name).
Expand the Multi-Factor Authentication (MFA) section.
Click Activate MFA.
Choose one of the following MFA device options:
Virtual MFA device: Use an authenticator app (e.g., Authy, Google Authenticator).
FIDO2 security key: Use a hardware security key (e.g., YubiKey).
Hardware TOTP device: Use a physical MFA token.
Follow the setup instructions:
Scan the QR code with your MFA app or register your hardware device.
Enter the two consecutive MFA codes shown by your app or device.
Click Assign MFA.
Verify that MFA is successfully enabled by logging out and signing in again with your root account credentials and the MFA code.
Backout Plan:
If the MFA device is lost or malfunctioning, follow AWS account recovery procedures:
Go to the AWS Sign-In page and click Trouble signing in?
Follow the recovery prompts or contact AWS Support to reset MFA on the root account.
Once recovered, re-enable MFA immediately to restore compliance.