🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: Ensure that the root user account has MFA enabled for console access

Description

This control checks whether the root user account has multi-factor authentication (MFA) enabled for console access. The control fails if the root user account does not have MFA enabled for console access.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_root_user_account_console_access_mfa_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_root_user_account_console_access_mfa_enabled --share

SQL

This control uses a named query:

select
  'arn:' || partition || ':::' || account_id as resource,
  case
    when account_password_present and not account_mfa_enabled then 'alarm'
    else 'ok'
  end as status,
  case
    when not account_password_present then 'Console sign-in disabled for root account.'
    when account_password_present and not account_mfa_enabled then 'Console sign-in enabled for root account but no MFA device configured.'
    else 'Console sign-in enabled for root account and MFA device configured.'
  end as reason
  , account_id
from
  aws_iam_account_summary;

Tags

category = Compliance
plugin = aws
service = AWS/IAM