Ensure that hardware Multi-Factor Authentication (MFA) is enabled for your root account in order to secure the access to your AWS resources and adhere to Amazon security best practices. A hardware MFA is much more efficient than a virtual MFA as it has a minimal attack surface and cannot be hacked unless the malicious user gain physical access to the hardware device.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Having hardware-based MFA protection for your root account is the best way to protect your AWS resources and services against attackers. A hardware MFA device signature adds an extra layer of protection on top of your existing root credentials making your Amazon Web Services root account virtually impossible to penetrate without the MFA generated passcode.
Audit
To determine if your AWS root account is protected with a hardware-based MFA solution, perform the following:
Remediation / Resolution
To implement strong protection for your AWS root account using a Multi-Factor Authentication (MFA) hardware device, perform the following:
Note: Installing and activating a hardware-based MFA device for the AWS root account via Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- AWS IAM FAQs
- Multi-Factor Authentication
- Using Multi-Factor Authentication (MFA) in AWS
- Enabling a Hardware MFA Device (AWS Management Console)
- IAM Best Practices
- AWS Command Line Interface (CLI) Documentation
- iam
- list-virtual-mfa-devices
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Hardware MFA for AWS Root Account
Risk level: High