Aqua CSPM

Root MFA Enabled

Quick Info

Plugin TitleRoot MFA Enabled
CloudAWS
CategoryIAM
DescriptionEnsures a multi-factor authentication device is enabled for the root account
More InfoThe root account should have an MFA device setup to enable two-factor authentication.
AWS Linkhttp://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
Recommended ActionEnable an MFA device for the root account and then use an IAM user for managing services

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Click on the AWS account name at the top on AWS management console and click on the “My Security Credentials” from the menu.
  3. On “Your Security Credentials” page scroll down and click on the “Multi-factor authentication (MFA)”. Check the “Multi-factor authentication (MFA)” section for any active devices. If the “Activate MFA” button is showing then a multi-factor authentication device is not enabled for the root account.
  4. Repeat steps number 2 and 3 to check another AWS account.
  5. On “Your Security Credentials” page scroll down and click on the “Multi-factor authentication (MFA)” and click on the “Activate MFA” button to enable a multi-factor authentication device.
  6. Click on the “Virtual MFA device” and click on “Continue”.
  7. Now install the AWS MFA compatible application on mobile device or computer. Once the application is installed click on the “Show QR code” and scan the code with pre-installed application.
  8. Enter two consecutive MFA codes generated from application in “MFA code 1” and “MFA code 2” and click on the “Assign MFA” button.
  9. On successful setup will get the following message “You have successfully assigned virtual MFA”.
  10. Now “Multi-factor authentication (MFA)” is enabled for the root account.