Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Enforce MFA on the AWS Root Account

Framework Reference: A.8.5 (Secure Authentication) Integration: AWS – IAM

Why this matters

The AWS root user has unrestricted access to your entire AWS environment. Enabling MFA adds an essential layer of security by requiring both a password and a time-sensitive code from a separate device. Without MFA, a compromised root password could give attackers full control over your cloud infrastructure.

What this check does

We verify whether MFA is enabled for the root user of your AWS account by checking:

That the mfa_active flag is TRUE

Or that root password login is disabled (password_enabled = FALSE)

How to fix it

Only users logged in as root can manage MFA settings for the root account.

Follow these steps to enable MFA:

Sign in to the AWS Console using your root credentials
https://console.aws.amazon.com/iam/

Go to the IAM Dashboard

In the "Security Status" section, select Activate MFA on your root account

Choose Virtual MFA Device > Next Step

Scan the QR code with your MFA app (e.g., Google Authenticator, Authy)
Or manually enter the secret key shown

Enter two consecutive codes from the app

Click Assign MFA

Done β€” your root user is now protected with MFA.

Exceptions

If your organization uses centralized access and disables root user credentials across AWS accounts, this check may not apply. In such cases, MFA setup on those member accounts is not required.

Further Ressources

Enable MFA for the AWS root user

How to enable virtual MFA

Disabling root account access

Was this article helpful?

Powered by Product Fruits