Drata validates that hardware MFA is enabled for the root user account in AWS.
The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smart phone on which a virtual MFA resides.
ASSOCIATED DRATA CONTROL
This test is part of the Root Infrastructure Account Monitored control (DCF-90).
WHAT TO DO IF A TEST FAILS
If Drata finds that hardware MFA is not enabled for the root user account in AWS, the test will fail.
STEPS TO REMEDIATE
Sign into AWS with the root account credentials and activate a hardware MFA from your dashboard, under 'Security Status.'
In the wizard, choose a 'Hardware MFA' device.
Enter the serial number that is found on the back of the MFA device in the 'Serial Number' field.
Enter the six-digit number displayed by the MFA device in the 'Authentication Code 1' field.
Wait 30 seconds while the device refreshes the code and then enter the next six-digit number in the 'Authentication Code 2' field.
Choose 'Next steps' and the MFA device should now be associated with this AWS account.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.