AWS – AWS IAM now enforces MFA for root users across all account types
Today AWS Identity and Access Management (IAM) announced comprehensive multi-factor authentication (MFA) requirements for root users across all account types, with the expansion to member accounts. The new MFA enforcement marks a significant milestone in our ongoing commitment of secure by design principles, setting a high bar for our customers’ default security posture and building upon our previous security enhancements. Our security journey began with requiring MFA for AWS Organizations management account root users in May 2024, followed by expanding MFA requirements to standalone account root users in June 2024, and introducing centralized root access management for AWS Organizations in November 2024.
IAM helps you securely manage identities and control access to AWS services and resources. MFA is a security best practice in IAM that requires a second authentication factor in addition to the user name and password sign-in credentials. MFA is available at no additional cost and prevents over 99% of password-related attacks. You can use a range of supported IAM MFA methods, including FIDO-certified security keys to harden access to your AWS accounts. AWS supports FIDO2 passkeys for a user-friendly MFA implementation and allows customers to register up to 8 MFA devices per root and IAM user. For AWS Organizations customers, we recommend centralizing access account management through the management account and removing root user credentials from member accounts, which represents an even stronger security posture.
To learn more:
Read More for the details.
