Amazon: AWS root accounts must have MFA enabled

Amazon wants to make it more difficult for attackers to compromise Amazon Web Services (AWS) root accounts, by requiring those account holders to enable multi-factor authentication (MFA).

MFA options for AWS accounts

AWS provides on-demand cloud computing platforms and APIs to companies, governments, and individuals.

The root account holder is the first identity created when creating an AWS account and the most privileged user, as it has access to all AWS services and resources in the account.

The requirement to enable MFA for the root user of an AWS Organizations management account will kick in by mid-2024.

The MFA options available on AWS include:

• FIDO Certified hardware security keys, which are phishing-resistant
• Virtual MFA devices, e.g., mobile authenticator apps that provide time-based one-time passwords (TOTP)
• Hardware TOTP token – actual hardware devices that provide time-based one-time passwords

Some account holders can get a free MFA security key from Amazon.

AWS customers can register up to eight MFA devices per account root user or per IAM user in AWS, Amazon Chief Security Officer Steve Schmidt pointed out.

“While the requirement to enable MFA for root users of Organizations management accounts is coming in 2024, we strongly encourage our customers to get started today by enabling MFA not only for their root users, but for all user types in their environments,” he added.

“We will expand this program throughout 2024 to additional scenarios such as standalone accounts (those outside an organization in AWS Organizations) as we release features that make MFA even easier to adopt and manage at scale.”