AWS Root user has signed in without MFA

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Extreme (act today)
Rule ID: RTM-002

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS root account authentication session initiated without using MFA.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.


AWS Multi-Factor Authentication (MFA) is a simple yet efficient method of verifying your user identity by requiring an authentication code generated by an MFA device (virtual or physical) on top of your usual access credentials (i.e. email address and password). The MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the MFA generated passcode.

Cloud Conformity strongly recommends that you use Multi-Factor Authentication every time you sign in to your Amazon Web Services root account in order to secure the access to your AWS resources and adhere to security best practices.


Cloud Conformity RTMA root MFA detection should be an indispensable part in enforcing a strong access security policy for your AWS root account.

Monitoring root access in real-time is crucial for keeping your AWS account safe because the root user has unlimited privileges (i.e. can use any service or component, modify any resource, access any data in your AWS environment) – that's why is important to know when a root authentication request is made without the Multi-Factor Authentication layer.

Having an MFA-protected root account is the best way to protect your AWS resources and services against unauthorized users, as MFA adds extra security to the authentication process by forcing users to enter a unique passcode from an approved authentication device such as Google Authenticator (virtual) or SafeNet IDProve from Gemalto (hardware).


Publication date May 24, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS Root user has signed in without MFA

Risk level: Extreme