Ensure hardware MFA for root account is enabled

Error: Hardware MFA for root account is not enabled

Bridgecrew Policy ID: BC_AWS_IAM_14
Severity: HIGH

Hardware MFA for root account is not enabled


The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name, password, and an authentication code from their AWS MFA device.

We recommended that the root account be protected with a Level 2 hardware MFA, it has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.



Using hardware MFA for many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this recommendation selectively: apply Level 2 to the highest security AWS accounts, and apply Level 1 to the remaining accounts.

Fix - Runtime

AWS Console

To establish a hardware MFA for the root account, follow these steps:

  1. Log in to the AWS Management Console as a Root user at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. Select Dashboard and under Security Status on your root account expand Activate MFA.
  4. Select Activate MFA.
  5. In the wizard, select a hardware MFA device, then select Next Step.
  6. In the Serial Number box, enter the serial number found on the MFA device.
  7. In the Authentication Code 1 box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
  8. Wait 30 seconds while the device refreshes the code.
  9. Enter the next six-digit number into the Authentication Code 2 box. You might need to press the button on the front of the device again to display the second number.
  10. Select Next Step. The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.