The 'root' user account should use hardware-based MFA

iam
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

The root user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. When a user signs in to an AWS website that has MFA enabled, they are prompted for their username and password, as well as an authentication code from their AWS MFA device. Datadog recommends for Level 2 security that you protect the root user account with a hardware MFA device due to its smaller attack surface compared to a virtual MFA. Using a hardware MFA device reduces the vulnerability introduced by mobile devices where virtual MFAs typically reside. However, if managing a single hardware MFA across many AWS accounts poses challenges, you might consider applying this recommendation selectively to the highest security accounts.

Remediation

For instructions on enabling a hardware MFA for the root account, refer to Enabling Hardware MFA for Your AWS Account Root User.