Aqua CSPM

Root Hardware MFA

Quick Info

Plugin TitleRoot Hardware MFA
CloudAWS
CategoryIAM
DescriptionEnsures the root account is using a hardware MFA device
More InfoThe root account should use a hardware MFA device for added security, rather than a virtual device which could be more easily compromised.
AWS Linkhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html
Recommended ActionEnable a hardware MFA device for the root account and disable any virtual devices

Detailed Remediation Steps

  1. Log in to the AWS Management Console using your root credentials.
  2. Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.
  3. On the “Security Credentials” page, click on the Multi-Factor Authentication (MFA).
  4. On the MFA management panel, check for any enabled MFA device that has the attribute set “Hardware MFA”.
  5. Repeat steps number 2 - 4 to check other AWS root accounts.
  6. Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.
  7. Click on the “Multi-Factor Authentication (MFA)” accordion tab to expand the MFA management panel.
  8. Click on the “Activate MFA” button to initiate the MFA device setup process.
  9. In the “Manage MFA device”, select the “Other hardware MFA device” and click on the “Continue” button.
  10. On the “Set up hardware MFA device”, enter the “Serial number” and MFA Code 1 and MFA Code 2.
  11. Click on the “Assign MFA” to complete the process.
  12. Repeat steps number 6 - 11 to enable a hardware MFA device for the root account and disable any virtual devices.