Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Do "Passkey or security key" MFA devices for the root user satisfy the Security Hub IAM.6 requirement?

0

For compliance and security, we need to use Hardware MFA devices as specified by IAM.6, "Hardware MFA should be enabled for the root user". The description reads:

This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.

The "Assign MFA" page lists three options:

  • Passkey or security key
  • Authenticator app
  • Hardware TOTP token

As we're currently in procurement for a solution, we need confirmation that "Passkey or security key" satisfies the IAM.6 requirement, or if instead only the Hardware TOTP device is accepted. Would a FIPS-compliant Yubikey such as this one suffice for the security requirement?

If it is the case that only the TOTP token satisfies the IAM.6 requirement, how is a non-US entity supposed to procure one, given that only two devices from Thales are listed and neither are available in our current operating country (EU)? If this is not the case, you can ignore this secondary question.

Topics
Security, Identity, & Compliance
Tags
AWS Security Hub
Language
English
asked a year ago273 views
1 Answer
0

In addition to hardware TOTP token, passkey or security key will meet the requirement for IAM.6 control in Security Hub.

For example, a passkey using Chrome profile or a FIDO2 security key configured for the root user will generate a PASSED check for IAM.6 control.

Please refer the below links for more information on FIDO2 security key support in IAM. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_fido_supported_configurations.html#id_credentials_mfa_fido_supported_devices https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_mfa-fido.html

For supported Yubico devices, please use this link and search for FIDO2 specification keys https://fidoalliance.org/certification/fido-certified-products/

AWS
SUPPORT ENGINEER
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content