Control: 2.5 Ensure hardware MFA is enabled for the 'root' user account
Description
The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.
Where an AWS Organization is using centralized root access, root credentials can be removed from member accounts. In that case it is neither possible nor necessary to configure root MFA in the member account.
Remediation
Note: To manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.
Perform the following to establish a hardware MFA for the 'root' user account:
- Open the AWS Management Console and sign in using your root user credentials.
- On the right side of the navigation bar, choose your account name, and choose
Security credentials
. - In the
Multi-Factor Authentication (MFA)
section, choose Assign MFA device. - In the wizard, type a
Device nam
e, choose Authenticator app, and then choose Next.IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes. - Open the virtual MFA app on the device.If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.
- The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually. The QR code and secret configuration key generated by IAM are tied to your AWS accoun. To use the QR code to configure the virtual MFA device, from the wizard, choose Show QR code. Then follow the app instructions for scanning the code. For example, you might need to choose the camera icon or choose a command like Scan account barcode, and then use the device's camera to scan the QR code. To manual entry secret key on devices, in the
Set up device wizard
, chooseShow secret key
, and then type the secret key into your MFA app. - In the wizard, in the
MFA code 1
box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into theMFA code 2
box. ChooseAdd MFA.
Remediation for this recommendation is not available through AWS CLI.
Default Value:
By default, the AWS root user does not have a hardware MFA device assigned. MFA must be explicitly configured, and if enabled by default it will be virtual (software-based), not hardware.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_2_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_2_5 --share
SQL
This control uses a named query:
select 'arn:' || s.partition || ':::' || s.account_id as resource, case when s.account_mfa_enabled and d.serial_number is null then 'ok' else 'alarm' end status, case when s.account_mfa_enabled = false then 'MFA not enabled for root account.' when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' else 'Hardware MFA device enabled for root account.' end reason , s.account_idfrom aws_iam_account_summary as s left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';