Control: Ensure that the root user account has MFA enabled for console access
Description
This control checks whether the root user account has multi-factor authentication (MFA) enabled for console access. The control fails if the root user account does not have MFA enabled for console access.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_root_user_account_console_access_mfa_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_root_user_account_console_access_mfa_enabled --share
SQL
This control uses a named query:
select 'arn:' || partition || ':::' || account_id as resource, case when account_password_present and not account_mfa_enabled then 'alarm' else 'ok' end as status, case when not account_password_present then 'Console sign-in disabled for root account.' when account_password_present and not account_mfa_enabled then 'Console sign-in enabled for root account but no MFA device configured.' else 'Console sign-in enabled for root account and MFA device configured.' end as reason , account_idfrom aws_iam_account_summary;