☁ AWS · IAM & Identity · AWS-01

Root Account MFA Status

CIS AWS Foundations Benchmark v2.0  ·  Control 1.4   |   Maps to: NIST CSF PR.AC-7  ·  SOX ITGC AC-01  ·  PCI DSS 8.5  ·  FFIEC CAT  ·  ISO 27001 A.9.4
Risk if failing
CRITICAL
Audit frequency
Every engagement
Script runtime
< 5 seconds
Failure risk rating
Critical — full account takeover risk. Immediate remediation required.

What this tests

Whether multi-factor authentication is enabled on the AWS root account. The root account has unrestricted access to every resource in your AWS environment — it bypasses all IAM policies, SCPs, and permission boundaries. Without MFA, a stolen password is a stolen account.

This check queries AWS IAM's account summary endpoint and evaluates a single field: AccountMFAEnabled. Either it is 1 (MFA active) or it is 0 (no MFA, immediate critical finding).

Why this matters in audit

Root account compromise appears in every major cloud breach post-mortem. Unlike an IAM user where you can restrict permissions, root cannot be constrained — it owns the account. A single exposed credential without MFA means complete data loss, infrastructure destruction, or ransomware deployment are one login away.

Every audit framework that touches cloud infrastructure lists root MFA as a mandatory or priority-one control. SOX ITGC programmes treat it as a general computer control failure that escalates to the external auditor. PCI DSS 8.5 explicitly requires MFA for all non-consumer accounts with admin access. A FAIL here is not a finding that stays in the IT audit report — it surfaces at the board level.

Pass and fail criteria

PASSAccountMFAEnabled = 1. Virtual or hardware MFA device is active on the root account. No finding.

FAIL — CRITICALAccountMFAEnabled = 0. No MFA device registered. Root account accessible with password alone. Raise immediately.

WARN — Script cannot connect or IAM credentials lack iam:GetAccountSummary permission. Finding scope limited — escalate access or document limitation.

// Evidence this produces
Sample PASS output — JSON
{
  "check_id":          "AWS-01",
  "check_name":        "Root Account MFA Status",
  "cis_reference":     "CIS AWS Foundations v2.0 — Control 1.4",
  "regulation_map":    "NIST CSF PR.AC-7 | SOX ITGC AC-01 | PCI DSS 8.5 | ISO 27001 A.9.4",
  "account_id":        "123456789012",
  "timestamp":         "2026-03-02T14:32:07Z",
  "result":            "PASS",
  "finding":           "Root account MFA is enabled.",
  "risk_rating":       "N/A",
  "remediation":       "None required.",
  "raw": { "AccountMFAEnabled": 1 }
}
Sample FAIL output — JSON
{
  "check_id":          "AWS-01",
  "check_name":        "Root Account MFA Status",
  "cis_reference":     "CIS AWS Foundations v2.0 — Control 1.4",
  "regulation_map":    "NIST CSF PR.AC-7 | SOX ITGC AC-01 | PCI DSS 8.5 | ISO 27001 A.9.4",
  "account_id":        "123456789012",
  "timestamp":         "2026-03-02T14:32:07Z",
  "result":            "FAIL",
  "risk_rating":       "CRITICAL",
  "finding":           "Root account MFA is NOT enabled. Full account access requires only a password.",
  "remediation":       "Enable virtual or hardware MFA on root account immediately via IAM console.",
  "raw": { "AccountMFAEnabled": 0 }
}
// Regulation cross-reference
Regulation
Clause / Control
Obligation
NIST CSF 2.0
PR.AC-7 — Authentication
Users and devices are authenticated commensurate with risk
SOX ITGC
AC-01 — Logical Access
Privileged accounts require strong authentication controls
PCI DSS v4.0
Req 8.5 — MFA for all access
MFA required for all non-consumer accounts into the CDE and admin access
ISO 27001:2022
A.9.4 — System access control
Secure log-on procedures and authentication management for privileged access
FFIEC CAT
Access Management — Baseline
Multi-factor authentication for privileged user accounts is a baseline maturity requirement
DORA (EU)
Art. 9 — ICT security policies
Strong authentication mechanisms required for privileged account access

Remediation

01
Sign in to the AWS console using root account credentials (email + password).
02
Navigate to the top-right account menu → Security credentials.
03
Under Multi-factor authentication (MFA), click Assign MFA device.
04
Select Virtual MFA device (Authenticator app) or Hardware TOTP token. Hardware is preferred for root — it cannot be phished remotely.
05
Complete device registration. Re-run AWS-01 script to confirm AccountMFAEnabled = 1 and attach PASS output to remediation evidence.

▶ Run the Python script

boto3 · live sandbox · JSON + terminal output · <5s runtime · workpaper-ready evidence

Python Encounters → AWS-01
← Back to Theatre AWS-02: Root Access Keys →