Docs HomePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Writing Detections
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Alert Runbooks
Built-in Policies
AWS CloudTrail Is Enabled In All Regions
AWS CloudTrail Sending To CloudWatch Logs
AWS KMS CMK Key Rotation Is Enabled
AWS Application Load Balancer Has Web ACL
AWS Access Keys Are Used Every 90 Days
AWS Access Keys are Rotated Every 90 Days
AWS ACM Certificate Is Not Expired
AWS Access Keys not Created During Account Creation
AWS CloudTrail Has Log Validation Enabled
AWS CloudTrail S3 Bucket Has Access Logging Enabled
AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
AWS Config Is Enabled for Global Resources
AWS DynamoDB Table Has Autoscaling Targets Configured
AWS DynamoDB Table Has Autoscaling Enabled
AWS DynamoDB Table Has Encryption Enabled
AWS EC2 AMI Launched on Approved Host
AWS EC2 AMI Launched on Approved Instance Type
AWS EC2 AMI Launched With Approved Tenancy
AWS EC2 Instance Has Detailed Monitoring Enabled
AWS EC2 Instance Is EBS Optimized
AWS EC2 Instance Running on Approved AMI
AWS EC2 Instance Running on Approved Instance Type
AWS EC2 Instance Running in Approved VPC
AWS EC2 Instance Running On Approved Host
AWS EC2 Instance Running With Approved Tenancy
AWS EC2 Instance Volumes Are Encrypted
AWS EC2 Volume Is Encrypted
AWS GuardDuty is Logging to a Master Account
AWS GuardDuty Is Enabled
AWS IAM Group Has Users
AWS IAM Policy Blocklist Is Respected
AWS IAM Policy Does Not Grant Full Administrative Privileges
AWS IAM Policy Is Not Assigned Directly To User
AWS IAM Policy Role Mapping Is Respected
AWS IAM User Has MFA Enabled
AWS IAM Password Used Every 90 Days
AWS Password Policy Enforces Complexity Guidelines
AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
AWS Password Policy Prevents Password Reuse
AWS RDS Instance Is Not Publicly Accessible
AWS RDS Instance Snapshots Are Not Publicly Accessible
AWS RDS Instance Has Storage Encrypted
AWS RDS Instance Has Backups Enabled
AWS RDS Instance Has High Availability Configured
AWS Redshift Cluster Allows Version Upgrades
AWS Redshift Cluster Has Encryption Enabled
AWS Redshift Cluster Has Logging Enabled
AWS Redshift Cluster Has Correct Preferred Maintenance Window
AWS Redshift Cluster Has Sufficient Snapshot Retention Period
AWS Resource Has Minimum Number of Tags
AWS Resource Has Required Tags
AWS Root Account Has MFA Enabled
AWS Root Account Does Not Have Access Keys
AWS S3 Bucket Name Has No Periods
AWS S3 Bucket Not Publicly Readable
AWS S3 Bucket Not Publicly Writeable
AWS S3 Bucket Policy Does Not Use Allow With Not Principal
AWS S3 Bucket Policy Enforces Secure Access
AWS S3 Bucket Policy Restricts Allowed Actions
AWS S3 Bucket Policy Restricts Principal
AWS S3 Bucket Has Versioning Enabled
AWS S3 Bucket Has Encryption Enabled
AWS S3 Bucket Lifecycle Configuration Expires Data
AWS S3 Bucket Has Logging Enabled
AWS S3 Bucket Has MFA Delete Enabled
AWS S3 Bucket Has Public Access Block Enabled
AWS Security Group Restricts Ingress On Administrative Ports
AWS VPC Default Security Group Restricts All Traffic
AWS VPC Flow Logging Enabled
AWS WAF Has Correct Rule Ordering
AWS CloudTrail Logs Encrypted Using KMS CMK
Built-in Rules
Panther API (Beta)
Guides
Help
Powered By GitBook
AWS Root Account Has MFA Enabled

AWS Root Account Using Hardware MFA

Risk
Remediation Effort
High
Medium
These policy validates that Multi Factor Authentication (MFA) is required for access to the root account, and that a hardware MFA device is in use.
The root account has the most privilege/access of any account, and should therefore be the most protected account. Enabling MFA mitigates much of the possibility of account compromise as both the password and the MFA device would need to be compromised at once for the account to be compromised. Hardware MFA is preferred as it is more difficult to compromise than a virtual MFA device.
Remediation
To remediate this, enable MFA for logins with the root account. This must be done from the AWS console, logged in as the root account.
Using the AWS Console
1. Log in with the root account, then go to the root account security credentials tab at:
2. Select the "Multi-factor authentication (MFA)" tab.
3. Select the "Activate MFA" button.
4. Follow the setup steps displayed in the popup window to configure the MFA device. It is recommended to use hardware MFA for the root account if possible, but virtual MFA is preferred to no MFA at all.
Using the AWS CLI Tool
1. At this time this issue cannot be remediated with the AWS CLI tool or with AWS API calls.
References
  • CIS AWS Benchmark 1.13 "Ensure MFA is enabled for the "root" account".
  • CIS AWS Benchmark 1.14 "Ensure hardware MFA is enabled for the "root" account".
Previous
AWS Resource Has Required Tags
Next
AWS Root Account Does Not Have Access Keys
Last modified 1yr ago
Copy link