πΌ 1.4 Ensure MFA is enabled for the 'root' user account (Automated)
- Contextual name: πΌ 1.4 Ensure MFA is enabled for the 'root' user account (Automated)
- ID:
/frameworks/cis-aws-v5.0.0/01/04
- Located in: πΌ 1 Identity and Access Management
Descriptionβ
The 'root' user account is the most privileged user in an AWS account. Multi-factor
Authentication (MFA) adds an extra layer of protection on top of a username and
password. With MFA enabled, when a user signs in to an AWS website, they will be
prompted for their username and password as well as for an authentication code from
their AWS MFA device.
Note: When virtual MFA is used for 'root' accounts, it is recommended that the device
used is NOT a personal device, but rather a dedicated mobile device (tablet or phone)
that is kept charged and secured, independent of any individual personal devices ("nonpersonal
virtual MFA"). This lessens the risks of losing access to the MFA due to device
loss, device trade-in, or if the individual owning the device is no longer employed at the
company.
Where an AWS Organization is using centralized root access, root credentials can be
removed from member accounts. In that case it is neither possible nor necessary to
configure root MFA in the member account.
Similarβ
- Sections
/frameworks/cis-aws-v4.0.1/01/05
Similar Sections (Take Policies From)β
Similar Sections (Give Policies To)β
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (1)β