Sprinto Dashboard

How to resolve Sprinto check for enabling Multi Factor Authentication (MFA) on AWS Root users

Overview

Sprinto runs a security check to verify that Multi-Factor Authentication (MFA) is enabled on AWS root user accounts. This is a critical control designed to prevent unauthorised access, especially since the root user has unrestricted access to your AWS environment.

⚠️ Important Update (As of November 2024) AWS now supports the removal of root user credentials—passwords and MFA—entirely, in line with best practices. When this configuration is used, the Sprinto check “AWS root account should have MFA enabled” becomes obsolete. However, AWS currently does not offer an API method to detect whether root credentials have been removed. Until then, you must manually provide external evidence and mark this case as a special exception.

Recommended Best Practice

For accounts managed under AWS Organizations, AWS now recommends removing all root user credentials from member accounts. This includes:

  • Password

  • Access keys

  • Signing certificates

  • MFA device (can be deactivated and deleted)

Reference: AWS Security Best Practices – Root User

How to Resolve This Check

Option 1: Root MFA is Enabled (Standard Case)

If you still use the AWS root user with login capability, ensure that MFA is enabled by following the steps below.

Prerequisites

  • You must be signed in as the AWS root user.

  • Ensure you have administrative privileges.

Procedure

  1. Sign in to the AWS Console as the root user.

  2. Navigate to the IAM service.

  3. On the IAM Dashboard, check if the root user MFA is disabled. If so, a banner will prompt you to enable it.

  4. Click Add MFA from the banner or go to Your Security Credentials and click Activate MFA.

  5. Select Virtual MFA device, then click Continue.

  6. Open your preferred authenticator app on your mobile device.

  7. Scan the QR code provided.

  8. Enter the two consecutive MFA codes from your app.

  9. Click Assign MFA.

✅ Sprinto will detect this change and automatically mark the check as Passing once MFA is successfully configured.

Screenshots:

(Ensure the original screenshots from the previous article are retained and placed in order.)

Option 2: Root Credentials Removed (Special Case)

If you have removed all credentials (including password and MFA) from your AWS root user, This configuration cannot be auto-detected by Sprinto because AWS does not currently provide programmatic visibility.

What You Need to Do

  1. Capture a screenshot showing that all root credentials have been removed from the Security Credentials page.

  2. Upload this screenshot as external evidence in Sprinto.

Sprinto’s compliance team will review this and approve the check manually.

Contact Us

If you have questions or require help resolving this check, contact Sprinto Support.

PreviousHow to resolve Sprinto check for enabling log file integrity validation on AWS CloudTrailNextHow to resolve Sprinto check for enabling GCP VPC flow log