AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Fix: Root Account Without MFA and With Access Keys

2026-06-21 2 min read

The AWS account root user is the one identity that can do anything, including things IAM policies can't restrict. Two findings around it appear in nearly every first scan: root has no MFA (CIS 1.5/1.6, Security Hub [IAM.9]) and root has active access keys (CIS 1.4, [IAM.4]). Both are crown-jewels risk.

Practitioner guidance, not legal or audit advice.

1. Delete root access keys (there should be none)

The root user should never have access keys. Programmatic access goes through IAM roles, not root. Check and remove:

aws iam get-account-summary | grep AccountAccessKeysPresent
# If "AccountAccessKeysPresent": 1 — sign in as root and delete them

Access keys for root can only be removed by signing in as root → My Security Credentials → delete the keys. There is no legitimate reason for them to exist.

2. Enable hardware MFA on root

CIS Level 2 (1.6) wants hardware MFA on root specifically, because root is the highest-value target. Sign in as root → My Security Credentials → Multi-factor authentication → Assign MFA device → choose a hardware key (FIDO2 security key is ideal).

3. Then lock root away

Once MFA is on and keys are gone:

  • Store the root credentials and MFA device securely (a safe, not a laptop).
  • Set up AWS Organizations so member accounts are managed without ever touching root.
  • Add a CloudWatch alarm on root usage (CIS 1.7 / [CloudWatch.1]) so any root login pages you immediately.
# Confirm no root activity is expected — alarm on any
# (metric filter on CloudTrail for userIdentity.type = Root)

Keep it fixed

The Config rules iam-root-access-key-check and root-account-mfa-enabled (and root-account-hardware-mfa-enabled for Level 2) catch any regression. These are also exactly what the IAM credential report evidences for an auditor.

Why it matters for CPS 234

Root hygiene is the sharpest form of "restrict administrative privileges" — both CPS 234 Para 21 and Essential Eight strategy 5. A root user with standing keys and no MFA is an automatic finding in any review, and the credential report is the evidence that it's been fixed.

Primary sources: Security Hub IAM controls · CIS in Security Hub

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts