🐍 Python · AWS · IAM

aws_01_root_mfa.py

AWS-01 — AWS-01: Root Account MFA
boto3 only Read-only IAM CIS AWS 1.4 Exit codes for pipeline use
The problem

The AWS root account has unrestricted access to every resource in the account. No IAM policy, SCP, or permission boundary can limit it. A password-only root account is one phished credential away from total account compromise. That credential may have been sitting in a leaked database for months without anyone noticing. This is not a theoretical risk. Root account takeover is the opening move in the majority of serious AWS incidents.

Use case

You are three days into a SOX ITGC cloud infrastructure review. The client says MFA is enforced across all privileged accounts. You run this script. It returns FAIL. The root account has no MFA device assigned. That single finding changes the risk rating of the entire access control section and requires immediate escalation. It cannot be remediated by the end of fieldwork.

aws_01_root_mfa.py calls iam:GetAccountSummary and reads the AccountMFAEnabled field. A value of 1 is a PASS. A value of 0 is a FAIL rated CRITICAL. The check completes in under five seconds and produces a timestamped JSON evidence package alongside the terminal output.

Regulation coverage: NIST CSF PR.AC-7 | SOX ITGC AC-01 | PCI DSS 8.5 | ISO 27001 A.9.4 | FFIEC CAT | DORA Art.9

Prerequisites: pip install boto3 · iam:GetAccountSummary · sts:GetCallerIdentity

Script

Terminal
# Install dependency
$ pip install boto3

# Run with default credentials
$ python3 aws_01_root_mfa.py

# Named profile
$ python3 aws_01_root_mfa.py --profile my-audit-role

# Save JSON evidence file
$ python3 aws_01_root_mfa.py --profile my-audit-role --save

# JSON only — for pipeline / CI use
$ python3 aws_01_root_mfa.py --json-only | jq .result
IAM Permission Why it is needed
iam:GetAccountSummaryReads AccountMFAEnabled — the only field this check uses
sts:GetCallerIdentityResolves account ID for the evidence record. Fails gracefully if absent.
Sample output — PASS
  Check        AWS-01 — Root Account MFA Status
  CIS Ref      CIS AWS Foundations Benchmark v2.0 — Control 1.4
  Account      123456789012

  ✓  RESULT: PASS

  Finding
  Root account MFA is enabled.

  Raw: {"AccountMFAEnabled": 1}
Sample output — FAIL
  Check        AWS-01 — Root Account MFA Status
  CIS Ref      CIS AWS Foundations Benchmark v2.0 — Control 1.4
  Account      123456789012

  ✗  RESULT: FAIL
  Risk Rating    CRITICAL

  Finding
  Root account MFA is NOT enabled. The root account is accessible
  with a password alone. Full account takeover risk — no IAM policy
  can restrict root.

  Remediation
  Enable virtual or hardware MFA on the root account immediately via
  AWS Console → Account menu → Security credentials → Assign MFA device.

  Raw: {"AccountMFAEnabled": 0}

Regulation map

Framework Control / Clause Obligation
NIST CSF 2.0PR.AC-7Authentication must be proportionate to risk. Root access without MFA fails this requirement.
SOX ITGCAC-01Privileged account access controls must be documented and enforced. Root MFA absence is a direct control gap.
PCI DSS v4.08.5MFA is required for all access to the cardholder data environment from any account with administrative capability.
ISO 27001:2022A.9.4Access to systems must use secure log-on procedures with multi-factor authentication for privileged accounts.
FFIEC CATBaseline — IAMRoot account protections are a baseline maturity requirement. Absence triggers immediate risk escalation.
DORA (EU)Article 9Financial entities must implement strong authentication mechanisms for privileged access to ICT systems.
→ Aws Root Access Keys

Feedback welcome: Corrections, ideas, and requests — grcguy@rtapulse.com.

Request an addition
← Control Testing Python Encounters home