Root account has a hardware MFA device enabled
iam_root_hardware_mfa_enabled
AWS root user credentials are assessed for MFA status and device type. The check detects whether MFA is absent or implemented with a virtual device instead of hardware MFA on the root user, and notes when centralized root credential management is in effect.
Risk
Without hardware MFA on the root user:
- No MFA: stolen password/keys enable full account takeover.
- Virtual MFA: device compromise or backup restoration weakens second-factor assurance. An attacker could delete resources, change policies, and disable logging, harming confidentiality, integrity, and availability.
prowler aws --checks iam_root_hardware_mfa_enabled
Recommendation
Require a hardware MFA token for the root user and remove any virtual MFA. Apply least privilege: avoid using root, disable access keys, and eliminate long-term credentials. In organizations, centralize root management. Keep a controlled break-glass process with strict recovery checks and continuous monitoring.
Remediation
- Sign in to the AWS Management Console as the root user
- Open My Security Credentials: https://console.aws.amazon.com/iam/home?#/security_credentials
- In the Multi-factor authentication (MFA) section, choose Activate/Assign MFA
- Select a hardware option (Security key or Hardware TOTP token) and complete the prompts (for TOTP: enter the device serial and two consecutive codes)
- After the hardware MFA is added, locate any Virtual MFA device listed for root and Deactivate/Remove it
- Confirm only the hardware MFA remains assigned
Source Code
Resource Type
AwsIamUser