MFA is not enabled for the "root" account
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

MFA is not enabled for the "root" account






The root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.

Note: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(“non-personal virtual MFA”). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.


Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.


See the CIS AWS Foundations Benchmark controls docs for console remediation steps.



Default Value



  1. CCE-78911-5 2. CIS CSC v6.0 #5.6, #11.4, #12.6, #16.11

CIS Controls

4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.