Enforce MFA on the AWS Root Account
Why this matters
The AWS root user has unrestricted access to your entire AWS environment. Enabling MFA adds an essential layer of security by requiring both a password and a time-sensitive code from a separate device. Without MFA, a compromised root password could give attackers full control over your cloud infrastructure.
What this check does
We verify whether MFA is enabled for the root user of your AWS account by checking:
That the mfa_active
flag is TRUE
Or that root password login is disabled (password_enabled = FALSE
)
How to fix it
Only users logged in as root can manage MFA settings for the root account.
Follow these steps to enable MFA:
Sign in to the AWS Console using your root credentials
https://console.aws.amazon.com/iam/
Go to the IAM Dashboard
In the "Security Status" section, select Activate MFA on your root account
Choose Virtual MFA Device > Next Step
Scan the QR code with your MFA app (e.g., Google Authenticator, Authy)
Or manually enter the secret key shown
Enter two consecutive codes from the app
Click Assign MFA
Done β your root user is now protected with MFA.
Exceptions
If your organization uses centralized access and disables root user credentials across AWS accounts, this check may not apply. In such cases, MFA setup on those member accounts is not required.