Ensure that hardware Multi-Factor Authentication (MFA) is enabled for your root account in order to secure the access to your AWS resources and adhere to Amazon security best practices. A hardware MFA is much more efficient than a virtual MFA as it has a minimal attack surface and cannot be hacked unless the malicious user gain physical access to the hardware device.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Having hardware-based MFA protection for your root account is the best way to protect your AWS resources and services against attackers. A hardware MFA device signature adds an extra layer of protection on top of your existing root credentials making your Amazon Web Services root account virtually impossible to penetrate without the MFA generated passcode.
To determine if your AWS root account is protected with a hardware-based MFA solution, perform the following:
To implement strong protection for your AWS root account using a Multi-Factor Authentication (MFA) hardware device, perform the following:Note: Installing and activating a hardware-based MFA device for the AWS root account via Command Line Interface (CLI) is not currently supported.