A-IAM-16

AWS Root User Does Not Have MFA

Risk:
Critical

The AWS Root User should have an MFA device enabled and active.


Details

Each AWS account is created with a root user. This root user is the owner of the account and serves as the unique identifier of the account’s ownership, existing prior to the creation of any IAM Users, IAM Roles, or other identities. Since the root user possesses full ownership of the account, they have complete permissions to perform any action within the account, barring any Service Control Policies (SCPs) that may be issued by an owning organisation.

It is crucial to understand that under most circumstances the root account has unfettered access to everything in the AWS account, making it the ultimate administrator. Given the sensitivity of data stored in AWS and the significant potential costs associated with a malicious breach, it is essential to secure the AWS root user as much as possible to prevent unauthorised access. If the root user is compromised the barrier to recovery and repair is substantially higher than a regular IAM User or IAM Role.

One key aspect of this security is ensuring that the root user’s password is both secure and valid alongside an active multi-factor authentication (MFA) device. MFA implements a second form of verification, in addition to the password, which significantly reduces the risk of unauthorised access. This setup demands an elevated level of effort from malicious actors, as they would need to bypass both factors of authentication. Consequently, this makes it more challenging for them to compromise the account and making suspicious activities easier to detect compared to relying solely on a username and password.

Remediation

Ensure that MFA is enabled for every root user in all of your AWS accounts. For organisations, it is crucial to have documented processes in place for managing MFA as this can extend to a number of root users that all need managing alongside MFA devices. This can become troublesome as the process for doing this naturally exists and is managed outside of AWS. However, SkySiege has implemented this process at our clients before and have pre-formatted architecture for managing your AWS root accounts.

For general AWS usage, it is best to create IAM Users or IAM Roles that have administrative permissions, rather than use the root user. This relegates logging into the root user for specific tasks such as actions in AWS Organisations or other root-user-only actions. This approach reduces the reliance on the root account while still allowing for administrator level activity to occur in the account.

SkySiege can instantly detect the state of your root users across all your AWS accounts without needing root user access in any of your accounts. Get your cloud estate scanned and report delivered the same day!

Discover if you're vulnerable

SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.

Related Tests