IAM should have MFA enabled for the root account


Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential. When virtual MFA is used for root accounts, the device should be a dedicated mobile device independent of personal devices.

Console Remediation Steps

  • Logged in as the root account user, from the top navigation, select your account name > My Security Credentials.

  • If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  • Expand the Multi-factor authentication (MFA) section and click Activate MFA.

  • Select Virtual MFA device and follow the steps documented here.

CLI Remediation Steps

Remediation is not possible via the CLI.