Root Account Hardware MFA Enabled

Overview

This check verifies that your AWS root user account has hardware-based multi-factor authentication (MFA) enabled, rather than a virtual authenticator app. The root user has unrestricted access to your entire AWS account, making it the most critical identity to protect.

Risk

If the root account lacks hardware MFA:

• Compromised credentials allow complete account takeover
• Virtual MFA only is weaker because phone compromise, backup restoration, or SIM-swapping can bypass it
• Attackers could delete all resources, modify billing, disable security logging, or exfiltrate data

This is rated Critical severity because root access cannot be restricted by IAM policies.

Remediation Steps

Prerequisites

• Access to the root user email and current password
• A hardware MFA device (FIDO2 security key like YubiKey, or a hardware TOTP token)

Hardware MFA options explained

AWS supports two types of hardware MFA for the root user:

1. FIDO2 Security Keys (recommended)

   • Examples: YubiKey, Feitian, Thetis
   • Plug into USB or tap via NFC
   • Phishing-resistant (bound to the specific AWS domain)

2. Hardware TOTP Tokens

   • Examples: Gemalto, SurePassID
   • Display a 6-digit code that changes every 30 seconds
   • Must be purchased from a compatible vendor

Virtual MFA (phone apps like Google Authenticator) is not sufficient to pass this check.

AWS Console Method

1. Sign in as the root user at https://console.aws.amazon.com/ using the account's root email address

2. Open your security credentials:

   • Click your account name in the top-right corner
   • Select Security credentials
   • Or go directly to: https://console.aws.amazon.com/iam/home#/security_credentials

3. Scroll to the Multi-factor authentication (MFA) section

4. If a virtual MFA device is assigned, remove it first:

   • Click the Remove button next to the existing MFA device
   • Confirm removal

5. Assign a hardware MFA device:

   • Click Assign MFA device
   • Enter a device name (e.g., "root-hardware-key")
   • Choose either:
     • Security key for FIDO2 devices (YubiKey, etc.)
     • Hardware TOTP token for code-generating devices
   • Follow the on-screen prompts to register your device

6. Store the hardware device securely (e.g., a locked safe or secure location accessible to authorized personnel only)

AWS CLI (optional)

Hardware MFA registration cannot be completed via CLI - it requires physical interaction with the device through the console. However, you can verify the current MFA status:

Check if MFA is enabled on the root account:

aws iam get-account-summary \
    --region us-east-1 \
    --query 'SummaryMap.AccountMFAEnabled'

• Returns 1 if MFA is enabled, 0 if not

List virtual MFA devices to see if root has virtual MFA:

aws iam list-virtual-mfa-devices \
    --region us-east-1 \
    --assignment-status Assigned \
    --query 'VirtualMFADevices[?User.Arn==`arn:aws:iam::<ACCOUNT_ID>:root`]'

Replace <ACCOUNT_ID> with your 12-digit AWS account ID.

If this returns a result, the root user has virtual MFA which should be replaced with hardware MFA.

CloudFormation (optional)

MFA device assignment cannot be automated via CloudFormation. MFA registration requires physical interaction with the hardware device and must be done through the AWS Console.

CloudFormation can enforce MFA requirements through IAM policies, but cannot register MFA devices.

Terraform (optional)

MFA device assignment cannot be automated via Terraform. MFA registration requires physical interaction with the hardware device and must be done through the AWS Console.

Terraform can enforce MFA requirements through IAM policies, but cannot register MFA devices.

Verification

After completing the setup:

1. In the AWS Console: Return to Security credentials and confirm the MFA section shows a hardware device (Security key or Hardware TOTP token) - not a Virtual MFA device

2. Test sign-in: Sign out and sign back in as root. You should be prompted to use your hardware MFA device.

CLI verification

# Verify MFA is enabled (returns 1 if enabled)
aws iam get-account-summary \
    --region us-east-1 \
    --query 'SummaryMap.AccountMFAEnabled'

# Check for virtual MFA on root (should return empty if using hardware MFA)
aws iam list-virtual-mfa-devices \
    --region us-east-1 \
    --assignment-status Assigned \
    --query 'VirtualMFADevices[?contains(User.Arn, `:root`)]'

The first command should return 1. The second should return an empty list [] if using hardware MFA (virtual MFA devices are tracked separately from hardware MFA).

Additional Resources

• AWS: Enabling a hardware MFA device for the root user
• AWS: Best practices for the root user
• AWS: Available MFA device types

Notes

• Do not use root for daily tasks: Use IAM users or IAM Identity Center with appropriate permissions instead
• Backup access plan: Ensure at least two authorized individuals know the location of the hardware MFA device and root credentials for emergency access
• Consider multiple hardware keys: AWS allows registering up to 8 MFA devices per user, including root. Register a backup hardware key stored in a separate secure location
• Delete root access keys: Root access keys should not exist. Check and delete them in the Security credentials page
• AWS Organizations: If using AWS Organizations, consider using a centralized security account to manage root credentials across member accounts