AWS Root Account MFA

TL;DR

Enable Multi-Factor Authentication (MFA) on your AWS root account immediately. This is the single most important step to secure your entire AWS environment. Use a virtual MFA device like Google Authenticator or Authy, and store recovery codes securely.

Step-by-Step Guide

1. Sign in to the AWS Management Console as the Root User: Make sure you’re using the root account credentials – not an IAM user.
2. Navigate to your Account Settings: Click on your account name in the top right corner, then select ‘Security Credentials’.
3. Enable MFA: In the ‘Multi-Factor Authentication (MFA)’ section, click ‘Assign MFA device’.
4. Choose an MFA Device Type: We strongly recommend using a Virtual MFA device. This is more secure than SMS-based MFA.
   • Virtual MFA Device: Use an app like Google Authenticator, Authy, or Microsoft Authenticator on your smartphone.
   • U2F Security Key: A physical security key (YubiKey, etc.). This is the most secure option but requires a compatible device.
5. Configure Your Virtual MFA Device (if chosen):
   • Download and install your chosen authenticator app on your smartphone.
   • In the AWS console, you’ll see two QR codes. Scan both with your authenticator app.
   • Enter the two six-digit codes generated by the app into the AWS console to verify setup.
6. Download and Secure Recovery Codes: After successfully enabling MFA, AWS will provide you with a set of recovery codes. This is critical!
   • Download these codes immediately.
   • Store them in a safe place – a password manager, a secure physical location (not on your computer), or both.
   • Treat these codes like passwords; anyone with access to them can bypass MFA.
7. Test Your MFA Setup: Sign out of the AWS console and sign back in using your root account credentials. You should be prompted for a six-digit code from your authenticator app.
8. Consider Disabling Root Account Access (Optional but Recommended): Once you’ve confirmed MFA is working, consider disabling direct access to the root account altogether. Create IAM users with specific permissions instead.

   aws iam list-users

   Use this command to verify that you have created IAM users before disabling root access.

Important Considerations

• Never share your recovery codes.
• Regularly review and update your MFA devices. If your phone is lost or stolen, revoke the old device and add a new one.
• Be aware of phishing attempts. AWS will never ask you for your MFA codes via email or phone call.
• Monitor your AWS account activity regularly using CloudTrail to detect any suspicious behaviour.