Skip to main content

Enable MFA for AWS Root Account

Overview

This check verifies that your AWS root account has multi-factor authentication (MFA) enabled. MFA adds an extra layer of security by requiring a second form of verification beyond just a password when signing in.

Risk

The root account has unrestricted access to everything in your AWS account. If someone steals the root password and there is no MFA, they can:

  • Delete all your data
  • Run up massive bills
  • Lock you out of your own account
  • Steal sensitive information
  • Create hidden backdoor accounts

This is considered a critical security risk.

Remediation Steps

Prerequisites

  • Access to the root account email and password
  • A smartphone with an authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.)

AWS Console Method

  1. Sign in as root - Go to the AWS Console and sign in using your root account email and password

  2. Open security settings - Click your account name in the top-right corner, then select Security credentials

  3. Find the MFA section - Scroll down to the Multi-factor authentication (MFA) section

  4. Start MFA setup - Click Assign MFA device

  5. Name your device - Enter a friendly name (e.g., "MyPhone") and select Authenticator app, then click Next

  6. Set up your authenticator app:

    • Click Show QR code
    • Open your authenticator app on your phone
    • Scan the QR code with the app

  7. Verify setup - Enter two consecutive codes from your authenticator app (wait for the first code to refresh before entering the second), then click Add MFA

  8. Done - You should see a success message confirming MFA is now enabled

AWS CLI (optional)

MFA setup for the root account cannot be done via CLI. You must use the AWS Console.

However, you can verify MFA status using the CLI with an IAM user that has appropriate permissions:

aws iam get-account-summary --region us-east-1 --query 'SummaryMap.AccountMFAEnabled'

A return value of 1 means root MFA is enabled. A value of 0 means it is not.

Hardware MFA Option (Recommended for High Security)

For maximum security, consider using a hardware MFA device instead of an authenticator app:

  1. Purchase a FIDO2 security key (YubiKey, Feitian, etc.) or hardware TOTP token
  2. In the MFA assignment step, choose Security Key or Hardware TOTP token instead of Authenticator app
  3. Follow the on-screen instructions to register the device

Hardware MFA is more resistant to phishing and device compromise than software authenticators.

Troubleshooting

QR code won't scan:

  • Click "Show secret key" and manually enter the code into your authenticator app

Codes not working:

  • Ensure your phone's time is set to automatic (MFA codes are time-based)
  • Wait for a fresh code and try again
  • Make sure you're entering two consecutive codes, not the same code twice

Lost access to MFA device:

Verification

After enabling MFA:

  1. Sign out of the AWS Console
  2. Sign back in with your root email and password
  3. You should be prompted to enter an MFA code - this confirms MFA is working
Verification via CLI

Run this command to confirm root MFA is enabled:

aws iam get-account-summary --region us-east-1 --query 'SummaryMap.AccountMFAEnabled'

Expected output: 1

Additional Resources

Notes

  • Never use the root account for daily tasks. Create IAM users or use IAM Identity Center for routine work.
  • Delete root access keys if they exist. Root should only be accessed via the console with MFA, not programmatically.
  • Store MFA backup codes securely. Some authenticator apps provide backup/recovery options - use them.
  • Consider enabling AWS Organizations centralized root access for enterprise environments to further reduce root credential risk.