MFA should be enabled for the 'root' account

Docs > Datadog Security > OOTB Rules > MFA should be enabled for the 'root' account

Description

The root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a username and password. With MFA enabled, users are prompted for their username, password, and an authentication code from their AWS MFA device when signing in. Datadog recommends using a dedicated non-personal device for setting up virtual MFA for root accounts to minimize risks like device loss or if the device owner leaves the company.

Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential. Note that the IAM User root account for GovCloud (US) regions does not have console access, so this control is not applicable for GovCloud (US) regions.

Remediation

For instructions on enabling MFA for the root account, refer to Managing MFA for Your AWS Account Root User.