AWS Config Rule: ROOT ACCOUNT HARDWARE MFA ENABLED

ROOT_ACCOUNT_HARDWARE_MFA_ENABLED

Fernando Honig

Last Update 2 years ago

Description: Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.


Trigger type: Periodic


AWS Region: All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), AWS GovCloud (US-West) Region


How to Resolve Manually 

To resolve this manually, sign in to the AWS Management Console with Root Credentials (Email Address / Password). 


On the right side of the navigation bar, choose your account name, and choose My Security Credentials.




Before you enable MFA for your root user, review your account settings and contact information to make sure that you have access to the email and phone number. If your MFA device is lost, stolen, or not working, you can still sign in as the root user by verifying your identity using that email and phone number. To learn about signing in using these alternative factors of authentication

A hardware MFA device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device when prompted during the sign-in process. Each MFA device assigned to a user must be unique; a user cannot type a code from another user's device to be authenticated.


Hardware MFA devices and U2F security keys are both physical devices that you purchase. The difference is that hardware MFA devices generate a code that you view and then enter when prompted when signing it to AWS. With a U2F security key, you don't see or type an authentication code. Instead, the U2F security key generates a response without presenting it to the user and the service validates it.


To enable MFA: 


  • Expand the Multi-Factor Authentication (MFA) section on the page.
  • In the Manage MFA device wizard, choose Hardware MFA device and then choose Continue.
  • Type the device serial number. The serial number is usually on the back of the device.
  • In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
  • Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.
  • Choose Assign MFA.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us