Ensure hardware MFA is enabled for the 'root' user account in muilti account

Hello,

Please refer to this document for having additional users registered for MFA for root account. In addition to this, please go through the Root user best practices for your AWS account as it is strongly recommended that you don’t access the AWS account root user unless you have a task that requires root user credentials. You need to secure your root user credentials and your account recovery mechanisms to help ensure you don’t expose your highly privileged credentials for unauthorized use.

Hardware MFA means using a dedicated piece of hardware relying on an encryption key hardwired into the device and practically infeasible to extract from it. If you use such hardware tokens, you'll have to secure them physically.

A much better way to secure root credentials across a large number of AWS accounts is to join the accounts in an AWS Organizations organisation and to create a Service Control Policy (SCP) that blocks all but harmless operations by the root user. That will make the root effectively less powerful than any regular AWS IAM principal, so that regular software MFA tokens suffice for root. Many professional password management applications are available for storing the software MFA seeds and to share them between superadmins without resorting to insecure communication channels, like emails and chats.

The only account exempt from restrictions imposed by SCPs is the management account of the organisation. That's a hardwired safeguard meant to make it more difficult to lock yourself out of your whole environment with an overly restrictive SCP and have no way to lift the restriction. For this reason, the management account's root credentials should be secured with hardware MFA and by applying particularly careful hygiene for the root's email address and other aspects relevant to securing it.