Security Hub - Ensure hardware MFA is enabled for the 'root' user account

Hello,

Kindly check the compliance result of the underlying Config rule https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html

Security Hub -> Security standards -> CIS AWS Foundations Benchmark v1.4.0: Check this remediation guide and ensure all steps are followed here- https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-6

AWS Foundational Security Best Practices v1.0.0 also shows Failed Same remediation guide as above

No Data under CIS AWS Foundations Benchmark v1.2.0 It means the control have been suppressed. You can change the status from "Supressed" using the "Workflow Status" to address the No Data

Note: Security Hub updates the calculated security score every 24 hours.

Future update on Consolidated Control Findings and a Consolidated Controls View for AWS Security Hub: https://aws.amazon.com/about-aws/whats-new/2023/02/aws-security-hub-consolidated-control-findings-view/

I think there must be no virtual MFA devices associated with the root account...

The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.

https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html

Does that other person really need the "root" account? I doubt it. I believe root is really only necessary for seismic tasks, like deleting or transferring the account, maybe playing with domain ownership. Root account access is not genuinely necessary for every day tasks. Best practice is give them their own IAM account and grant them Administrator access to everything, or less as appropriate. As the account owner its best if you save those very few "root-only" tasks for yourself-or whoever has the hardware key.