IAM should have hardware MFA enabled for the root account


MFA adds an extra layer of protection on top of a user name and password. Enabling hardware MFA provides increased security for console access as it has a smaller attack surface than a virtual MFA.

Console Remediation Steps

  • Logged in as the root account user, from the top navigation, select your account name > My Security Credentials.

  • If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  • Expand the Multi-factor authentication (MFA) section and click Activate MFA.

  • Select hardware MFA device and follow the steps documented here.

CLI Remediation Steps

Remediation is not possible via the CLI.