IAM Root User MFA Enabled Rule
This rule ensures that Multi-Factor Authentication is enabled for IAM root users to enhance security.
| Rule | IAM root user MFA should be enabled |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ Medium |
Ensuring IAM Root User MFA is Enabled for AWS Control Tower Guardrails
Overview of the Rule
Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. For AWS accounts, it is recommended to enable MFA for the root user to secure the account against unauthorized access. In an environment where AWS Control Tower is used, enabling MFA for the root user is particularly important, as this account has complete access to all AWS services and resources.
AWS Control Tower's Guardrails are high-level rules that provide governance for securing AWS environments. Mandating MFA for the root user within these Guardrails ensures that the AWS Audit Manager can successfully audit the compliance and security posture of the AWS environment.
Troubleshooting Steps
If the IAM root user MFA is not enabled, follow these steps to troubleshoot and remedy the situation:
1. Check if MFA is enabled for the root user
Using the AWS Management Console:
- Sign in to the AWS Management Console with the root user credentials.
- Go to the "My Security Credentials" section from the account drop-down on the top right corner.
- Look for the Multi-Factor Authentication (MFA) section to see if MFA is enabled.
2. Enabling MFA
If MFA is not enabled, you can enable it by selecting “Activate MFA” on the same page.
Steps to Remediate
Here's how you can enable MFA for the root user through the AWS Management Console:
1. Sign into the AWS Management Console
- Use your root user credentials to log in.
2. Open the IAM Dashboard
3. Navigate to Security Credentials
- Click on "My Security Credentials" in the account drop-down menu at the top-right corner of the console.
4. Activate MFA
- In the Multi-Factor Authentication (MFA) section, click on “Activate MFA”.
- Choose a virtual MFA device or a hardware MFA device as per your preference and follow the instructions provided to set it up.
CLI Commands for Remediation
AWS CLI does not support enabling MFA for the root user; this action must be done through the AWS Management Console.
SEO Considerations
The content provided above is structured and organized with clear subheadings, making it SEO-friendly. It offers direct information without fluff, adhering to best practices for search engine optimization. Including relevant keywords such as "enable MFA for AWS root user", "AWS Audit Manager", "Control Tower Guardrails", and "AWS security best practices" within the content can further improve SEO performance.
By implementing and documenting security measures like MFA for root users in accordance with AWS Audit Manager and Control Tower Guardrails, you ensure a stronger security posture and better compliance reporting for your AWS environment.