- Newest
- Most votes
- Most comments
Hello,
Kindly check the compliance result of the underlying Config rule https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html
Security Hub -> Security standards -> CIS AWS Foundations Benchmark v1.4.0: Check this remediation guide and ensure all steps are followed here- https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-6
AWS Foundational Security Best Practices v1.0.0 also shows Failed Same remediation guide as above
No Data under CIS AWS Foundations Benchmark v1.2.0 It means the control have been suppressed. You can change the status from "Supressed" using the "Workflow Status" to address the No Data
Note: Security Hub updates the calculated security score every 24 hours.
Future update on Consolidated Control Findings and a Consolidated Controls View for AWS Security Hub: https://aws.amazon.com/about-aws/whats-new/2023/02/aws-security-hub-consolidated-control-findings-view/
I think there must be no virtual MFA devices associated with the root account...
The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.
https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html
Does that other person really need the "root" account? I doubt it. I believe root is really only necessary for seismic tasks, like deleting or transferring the account, maybe playing with domain ownership. Root account access is not genuinely necessary for every day tasks. Best practice is give them their own IAM account and grant them Administrator access to everything, or less as appropriate. As the account owner its best if you save those very few "root-only" tasks for yourself-or whoever has the hardware key.
Relevant content
- asked a year ago
- asked 10 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago