UNKNOWN
Source
CloudSploit
ID
root-hardware-mfa

Root Hardware MFA

Ensures the root account is using a hardware MFA device

The root account should use a hardware MFA device for added security, rather than a virtual device which could be more easily compromised.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the AWS Management Console using your root credentials.

  2. Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.Step

  3. On the “Security Credentials” page, click on the Multi-Factor Authentication (MFA).Step

  4. On the MFA management panel, check for any enabled MFA device that has the attribute set “Hardware MFA”. Step

  5. Repeat steps number 2 - 4 to check other AWS root accounts.

  6. Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.

  7. Click on the “Multi-Factor Authentication (MFA)” accordion tab to expand the MFA management panel.Step

  8. Click on the “Activate MFA” button to initiate the MFA device setup process.Step

  9. In the “Manage MFA device”, select the “Other hardware MFA device” and click on the “Continue” button.Step

  10. On the “Set up hardware MFA device”, enter the “Serial number” and MFA Code 1 and MFA Code 2.

  11. Click on the “Assign MFA” to complete the process.

  12. Repeat steps number 6 - 11 to enable a hardware MFA device for the root account and disable any virtual devices.