The 'root' user account should use hardware-based MFA

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Description

The root user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. When a user signs in to an AWS website that has MFA enabled, they are prompted for their username and password, as well as an authentication code from their AWS MFA device. Datadog recommends for Level 2 security that you protect the root user account with a hardware MFA device due to its smaller attack surface compared to a virtual MFA. Using a hardware MFA device reduces the vulnerability introduced by mobile devices where virtual MFAs typically reside. However, if managing a single hardware MFA across many AWS accounts poses challenges, you might consider applying this recommendation selectively to the highest security accounts.

Remediation

For instructions on enabling a hardware MFA for the root account, refer to Enabling Hardware MFA for Your AWS Account Root User.