Quick Info
| Plugin Title | Root Hardware MFA |
| Cloud | AWS |
| Category | IAM |
| Description | Ensures the root account is using a hardware MFA device |
| More Info | The root account should use a hardware MFA device for added security, rather than a virtual device which could be more easily compromised. |
| AWS Link | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html |
| Recommended Action | Enable a hardware MFA device for the root account and disable any virtual devices |
Detailed Remediation Steps
- Log in to the AWS Management Console using your root credentials.
- Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.
- On the “Security Credentials” page, click on the Multi-Factor Authentication (MFA).
- On the MFA management panel, check for any enabled MFA device that has the attribute set “Hardware MFA”.
- Repeat steps number 2 - 4 to check other AWS root accounts.
- Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.
- Click on the “Multi-Factor Authentication (MFA)” accordion tab to expand the MFA management panel.
- Click on the “Activate MFA” button to initiate the MFA device setup process.
- In the “Manage MFA device”, select the “Other hardware MFA device” and click on the “Continue” button.
- On the “Set up hardware MFA device”, enter the “Serial number” and MFA Code 1 and MFA Code 2.
- Click on the “Assign MFA” to complete the process.
- Repeat steps number 6 - 11 to enable a hardware MFA device for the root account and disable any virtual devices.