Root account MFA

AWS-IAM-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the AWS root account has MFA enabled. The root account has unrestricted access to all resources.

Why it matters

The root account has unrestricted access to every AWS resource and cannot be limited by IAM policies. Without MFA, a single compromised password gives an attacker full account control - they can delete all resources, create backdoor users, and exfiltrate data. In the 2020 Twitch-style breaches, root account takeovers led to complete infrastructure destruction. AWS reports that accounts without root MFA are 20x more likely to be compromised in credential stuffing attacks. Hardware MFA (YubiKey or AWS-provided) is strongly recommended over virtual MFA because SIM-swapping attacks can bypass SMS-based authentication.

Common causes

Root account MFA is often skipped during initial AWS account setup, especially when organizations use AWS Organizations to create accounts programmatically. Teams assume the root account will never be used and defer MFA configuration indefinitely. In multi-account setups, dozens of root accounts may exist without MFA because no one owns the task.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Root MFA must be configured via AWS Console
# 1. Sign in as root: https://console.aws.amazon.com/
# 2. Go to: IAM > Security credentials > Multi-factor authentication
# 3. Assign MFA device (hardware TOTP recommended)

Remediation: Terraform

# Root MFA cannot be managed via Terraform.
# Use AWS Console or aws-vault for root account protection.

Compliance mapping

This check maps to CIS 1.5 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.