Other Articles
- EC2 Volume – Enable EBS Encryption
- EC2 Volume – Enable EBS Volume Backup
- EFS – Enable EFS Storage Backup
- EC2 Instance – Enable Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- EC2 VPC – Ensure Flow Logs are Enabled
- S3 Bucket – Block S3 Bucket Public Access
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- RDS DB Instance – Enable Auto Minor Version Upgrade
- RDS DB Instance – Block Public Access
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable User MFA
- Enforce Key Rotation
- Enforce Active Key Limit
- Disable Unused User Credentials
- Enforce Group Permission
- Enable CloudTrail
- Enable AWS Security Hub
- Enforce Password Length
- Prohibit Password Reuse
- Purge Expired Certificates
- Check Root Access Keys Existence
- Establish Support Role
- Enable Key Rotation
- Encrypt CloudTrail Logs
- Enable GuardDuty
Enable Root MFA
This check ensures that Multi-Factor Authentication (MFA) is enabled for the AWS root account. Enabling MFA on the root account provides an additional layer of security and protects against unauthorized access to critical account-level settings.
Check Details
- Resource: General
- Check: Enable root MFA
- Risk: Compromise of the root account can lead to full account takeover
Remediation via AWS Console
- Log in to the AWS Management Console using the root account.
-
Search for and open the IAM service.
- From the left navigation menu, click Dashboard.
- Under Security Status, expand Activate MFA on your root account.
- Click Activate MFA to begin the setup process.
- In the MFA setup wizard, select Virtual MFA device and click Next.
- AWS will display MFA setup details including a QR code and a secret configuration key.
- Open an authenticator app on your mobile device (Google Authenticator, Microsoft Authenticator, Authy, etc.).
-
Add a new account in the MFA app using one of the following options:
- Scan the QR code shown in the AWS console
- Or click Show secret key and enter the key manually
- Enter the two consecutive MFA codes generated by the app and click Assign MFA.