🛡️ AWS Account Root User MFA is not enabled.🟢

• Contextual name: 🛡️ Account Root User MFA is not enabled.🟢
• ID: /ce/ca/aws/iam/root-user-mfa
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM User
  • 🔌 AWS IAM User - credReport.extracts.yaml
  • 🔌 AWS IAM User - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Root MFA Enabled

Description

Open File

Description

The root user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their username and password as well as an authentication code from their AWS MFA device.

Note: When virtual MFA is used for root accounts, it is recommended that the device used is not a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices ("non-personal virtual MFA"). This lessens the risk of losing access to MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.

Rationale

Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.

Audit

Perform the following to determine if the root user account has MFA setup:

... see more

Remediation

Open File

Remediation

Note: To manage MFA devices for the root AWS account, you must use your root account credentials to sign in to AWS. You cannot manage MFA devices for the root account using other credentials.

Perform the following to establish MFA for the root user account:

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Dashboard, and under Security Status, expand Activate MFA on your root account.
3. Choose Activate MFA.
4. In the wizard, choose A virtual MFA device and then choose Next Step.
5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.
6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC02-BP01 Use strong sign-in mechanisms			5		no data
💼 CIS AWS v1.2.0 → 💼 1.13 Ensure MFA is enabled for the "root" account			1		no data
💼 CIS AWS v1.3.0 → 💼 1.5 Ensure MFA is enabled for the "root user" account			1		no data
💼 CIS AWS v1.4.0 → 💼 1.5 Ensure MFA is enabled for the 'root' user account			1		no data
💼 CIS AWS v1.5.0 → 💼 1.5 Ensure MFA is enabled for the 'root' user account - Level 1 (Automated)			1		no data
💼 CIS AWS v2.0.0 → 💼 1.5 Ensure MFA is enabled for the 'root' user account - Level 1 (Automated)			1		no data
💼 CIS AWS v3.0.0 → 💼 1.5 Ensure MFA is enabled for the 'root' user account - Level 1 (Automated)			1		no data
💼 CIS AWS v4.0.0 → 💼 1.5 Ensure MFA is enabled for the 'root' user account (Automated)			1		no data
💼 CIS AWS v4.0.1 → 💼 1.5 Ensure MFA is enabled for the 'root' user account (Automated)			1		no data
💼 CIS AWS v5.0.0 → 💼 1.4 Ensure MFA is enabled for the 'root' user account (Automated)			1		no data
💼 CIS AWS v6.0.0 → 💼 2.4 Ensure MFA is enabled for the 'root' user account (Automated)			1		no data
💼 CIS AWS v7.0.0 → 💼 2.5 Ensure MFA is enabled for the 'root' user account (Automated)			1		no data
💼 Cloudaware Framework → 💼 Multi-Factor Authentication (MFA) Implementation			18		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP High Security Controls → 💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H)			3		no data
💼 FedRAMP High Security Controls → 💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H)			3		no data
💼 FedRAMP High Security Controls → 💼 IA-2(6) Access to Accounts —separate Device (M)(H)			3		no data
💼 FedRAMP High Security Controls → 💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H)			3		no data
💼 FedRAMP Low Security Controls → 💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H)			3		no data
💼 FedRAMP Low Security Controls → 💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H)			3		no data
💼 FedRAMP Low Security Controls → 💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H)			3		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H)			3		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H)			3		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-2(6) Access to Accounts —separate Device (M)(H)			3		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H)			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-2(1) Identification and Authentication (organizational Users) _ Multi-factor Authentication to Privileged Accounts			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-2(2) Identification and Authentication (organizational Users) _ Multi-factor Authentication to Non-privileged Accounts			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-2(6) Identification and Authentication (organizational Users) _ Access to Accounts —separate Device			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-2(8) Identification and Authentication (organizational Users) _ Access to Accounts — Replay Resistant			3		no data
💼 PCI DSS v3.2.1 → 💼 8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.			3		no data
💼 PCI DSS v4.0.1 → 💼 8.4.1 MFA is implemented for all non-console access into the CDE for personnel with administrative access.			3		no data
💼 PCI DSS v4.0.1 → 💼 8.4.2 MFA is implemented for all non-console access into the CDE.			3		no data
💼 PCI DSS v4.0 → 💼 8.4.1 MFA is implemented for all non-console access into the CDE for personnel with administrative access.		1	3		no data
💼 PCI DSS v4.0 → 💼 8.4.2 MFA is implemented for all access into the CDE.		1	3		no data