☁ AWS · IAM & Identity · AWS-01

Root Account MFA Status

CIS AWS Foundations Benchmark v2.0  ·  Control 1.4   |   Maps to: NIST CSF PR.AC-7  ·  SOX ITGC AC-01  ·  PCI DSS 8.5  ·  FFIEC CAT  ·  ISO 27001 A.9.4
Risk if failing
CRITICAL
Audit frequency
Every engagement
Script runtime
< 5 seconds
Failure risk rating
Critical, full account takeover risk. Immediate remediation required.

What this tests

Whether multi-factor authentication is enabled on the AWS root account. The root account has unrestricted access to every resource in your AWS environment, it bypasses all IAM policies, SCPs, and permission boundaries. Without MFA, a stolen password is a stolen account.

This check queries AWS IAM's account summary endpoint and evaluates a single field: AccountMFAEnabled. Either it is 1 (MFA active) or it is 0 (no MFA, immediate critical finding).

Why this matters in audit

Root account compromise appears in every major cloud breach post-mortem. Unlike an IAM user where you can restrict permissions, root cannot be constrained, it owns the account. A single exposed credential without MFA means complete data loss, infrastructure destruction, or ransomware deployment are one login away.

Every audit framework that touches cloud infrastructure lists root MFA as a mandatory or priority-one control. SOX ITGC programmes treat it as a general computer control failure that escalates to the external auditor. PCI DSS 8.5 explicitly requires MFA for all non-consumer accounts with admin access. A FAIL here is not a finding that stays in the IT audit report, it surfaces at the board level.

Pass and fail criteria

PASS, AccountMFAEnabled = 1. Virtual or hardware MFA device is active on the root account. No finding.

FAIL, CRITICAL, AccountMFAEnabled = 0. No MFA device registered. Root account accessible with password alone. Raise immediately.

WARN, Script cannot connect or IAM credentials lack iam:GetAccountSummary permission. Finding scope limited, escalate access or document limitation.

// Evidence this produces
Sample PASS output, JSON
{
  "check_id":          "AWS-01",
  "check_name":        "Root Account MFA Status",
  "cis_reference":     "CIS AWS Foundations v2.0, Control 1.4",
  "regulation_map":    "NIST CSF PR.AC-7 | SOX ITGC AC-01 | PCI DSS 8.5 | ISO 27001 A.9.4",
  "account_id":        "123456789012",
  "timestamp":         "2026-03-02T14:32:07Z",
  "result":            "PASS",
  "finding":           "Root account MFA is enabled.",
  "risk_rating":       "N/A",
  "remediation":       "None required.",
  "raw": { "AccountMFAEnabled": 1 }
}
Sample FAIL output, JSON
{
  "check_id":          "AWS-01",
  "check_name":        "Root Account MFA Status",
  "cis_reference":     "CIS AWS Foundations v2.0, Control 1.4",
  "regulation_map":    "NIST CSF PR.AC-7 | SOX ITGC AC-01 | PCI DSS 8.5 | ISO 27001 A.9.4",
  "account_id":        "123456789012",
  "timestamp":         "2026-03-02T14:32:07Z",
  "result":            "FAIL",
  "risk_rating":       "CRITICAL",
  "finding":           "Root account MFA is NOT enabled. Full account access requires only a password.",
  "remediation":       "Enable virtual or hardware MFA on root account immediately via IAM console.",
  "raw": { "AccountMFAEnabled": 0 }
}
// Regulation cross-reference
Regulation
Clause / Control
Obligation
NIST CSF 2.0
PR.AC-7, Authentication
Users and devices are authenticated commensurate with risk
SOX ITGC
AC-01, Logical Access
Privileged accounts require strong authentication controls
PCI DSS v4.0
Req 8.5, MFA for all access
MFA required for all non-consumer accounts into the CDE and admin access
ISO 27001:2022
A.9.4, System access control
Secure log-on procedures and authentication management for privileged access
FFIEC CAT
Access Management, Baseline
Multi-factor authentication for privileged user accounts is a baseline maturity requirement
DORA (EU)
Art. 9, ICT security policies
Strong authentication mechanisms required for privileged account access

Remediation

01
Sign in to the AWS console using root account credentials (email + password).
02
Navigate to the top-right account menu → Security credentials.
03
Under Multi-factor authentication (MFA), click Assign MFA device.
04
Select Virtual MFA device (Authenticator app) or Hardware TOTP token. Hardware is preferred for root, it cannot be phished remotely.
05
Complete device registration. Re-run AWS-01 script to confirm AccountMFAEnabled = 1 and attach PASS output to remediation evidence.

▶ Run the Python script

boto3 · live sandbox · JSON + terminal output · <5s runtime · workpaper-ready evidence

Python Encounters → AWS-01
← Back to Theatre AWS-02: Root Access Keys →