Root Hardware MFA
Ensures the root account is using a hardware MFA device
The root account should use a hardware MFA device for added security, rather than a virtual device which could be more easily compromised.
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
-
Log in to the AWS Management Console using your root credentials.
-
Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.
-
On the “Security Credentials” page, click on the Multi-Factor Authentication (MFA).
-
On the MFA management panel, check for any enabled MFA device that has the attribute set “Hardware MFA”.
-
Repeat steps number 2 - 4 to check other AWS root accounts.
-
Click on the “Account name” option at the right corner of the management console and select Security Credentials from the dropdown menu.
-
Click on the “Multi-Factor Authentication (MFA)” accordion tab to expand the MFA management panel.
-
Click on the “Activate MFA” button to initiate the MFA device setup process.
-
In the “Manage MFA device”, select the “Other hardware MFA device” and click on the “Continue” button.
-
On the “Set up hardware MFA device”, enter the “Serial number” and MFA Code 1 and MFA Code 2.
-
Click on the “Assign MFA” to complete the process.
-
Repeat steps number 6 - 11 to enable a hardware MFA device for the root account and disable any virtual devices.