Which compliance frameworks require ensure mfa is enabled for the root account?

This security check is required by the following compliance frameworks: CIS AWS v1.5.0, CIS AWS v2.0, SOC 2, PCI-DSS, HIPAA, NIST 800-53, FedRAMP.

CRITICALCIS 1.2

Ensure MFA is enabled for the root account

The root account is the most privileged user in an AWS account. Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.

Security Impact

Without MFA, root account is vulnerable to password compromise attacks including phishing, credential stuffing, and brute force attacks.

How to Remediate

Enable MFA for the root account using a hardware MFA device or virtual MFA application. Navigate to IAM > Security credentials > Assign MFA device. Use hardware MFA for highest security.

Affected Resources

AWS::IAM::Root

Compliance Frameworks

CIS AWS v1.5.0CIS AWS v2.0SOC 2PCI-DSSHIPAANIST 800-53FedRAMP

How TigerGate Helps

TigerGate continuously monitors your AWS environment to detect and alert on this misconfiguration. Here's what our platform does for this specific check:

Continuous Scanning
Automatically scans all Identity and Access Management (IAM) resources across your AWS accounts every hour
Instant Alerts
Get notified via Slack, email, or webhooks when this misconfiguration is detected
One-Click Remediation
Fix this issue directly from the TigerGate dashboard with our guided remediation
Compliance Evidence
Automatically collect audit evidence for CIS AWS v1.5.0, CIS AWS v2.0, SOC 2 compliance
Drift Detection
Get alerted if this configuration drifts back to an insecure state after remediation