Control: AWS > PCI v3.2.1 > IAM > 4 Hardware MFA should be enabled for the root user

This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials.

It does not check whether you are using virtual MFA.

To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA PCI.IAM.5(Virtual MFA should be enabled for the root user).

Remediation

To enable hardware-based MFA for the root account

Log in to your account using the root user credentials.
Choose the account name at the top right of the page and then choose My Security Credentials.
In the warning, choose Continue to Security Credentials.
Choose Multi-factor authentication (MFA).
Choose Activate MFA.
Choose a hardware-based (not virtual) device to use for MFA and then choose Continue.
Complete the steps to configure the device type appropriate to your selection.

PCI requirement(s): 8.3.1

Resource Types

This control targets the following resource types:

AWS > Account

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/iamRootUserHardwareMfaEnabled

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/iamRootUserHardwareMfaEnabled") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/iamRootUserHardwareMfaEnabled'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/iamRootUserHardwareMfaEnabled"