Root hardware MFA

AWS-IAM-015 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the root account uses a hardware MFA device instead of virtual MFA. Hardware MFA provides stronger protection against phishing and device compromise.

Why it matters

Virtual MFA (software authenticator apps) stores TOTP seeds on devices that can be compromised by malware, SIM-swapping attacks, or phone theft. Hardware MFA devices (YubiKey, Titan Security Key, or AWS-provided Gemalto tokens) store the cryptographic material in a tamper-resistant hardware element that cannot be extracted or cloned. In the 2022 Lapsus$ attacks, the threat group specifically targeted virtual MFA by social engineering employees to approve push notifications. Hardware FIDO2 keys are phishing-resistant because they verify the origin domain, preventing token theft through fake login pages. For the root account, which has irrevocable full access to the AWS account, the stronger protection of hardware MFA is a critical safeguard. AWS now supports FIDO2 security keys as MFA for the root account.

Common causes

Virtual MFA is easier and cheaper to set up than hardware MFA, so it becomes the default choice during initial account configuration. Organizations may not have a procurement process for hardware security keys, especially for accounts managed by individual developers. Teams that already have virtual MFA enabled may view hardware MFA as an unnecessary upgrade since root MFA is already present.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# 1. Purchase a hardware MFA device (FIDO2 or TOTP)
# 2. Sign in as root to AWS Console
# 3. Go to: IAM > Security credentials > MFA
# 4. Remove current virtual MFA
# 5. Assign hardware MFA device

Remediation: Terraform

# Root MFA cannot be managed via Terraform.
# Use AWS Console to configure hardware MFA.

Compliance mapping

This check maps to CIS 1.6 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.