IAM.6: The root user is not protected by hardware MFA

What does AWS Security Hub IAM.6 check?

IAM.6 fails when the account root user does not have a hardware MFA device enabled. A virtual (software) MFA device is not enough to pass — the control specifically requires a hardware key.

Why does IAM.6 matter?

Root can do anything in the account, including actions no IAM policy or SCP can restrict, and it can't be deleted or scoped down. A phished or reused root password with no phishing-resistant second factor is an extinction-level event — the Code Spaces shutdown in 2014 began exactly this way. A hardware key binds the second factor to a physical origin, so a fake login page captures the password but never a valid signature.

How do I fix IAM.6?

1. Sign in as root and enrol a hardware MFA device under My Security Credentials — this step is console-only by design.
2. Register a second hardware key as a backup and store both in separate secure locations.
3. Lock root away behind a break-glass procedure and run day-to-day work through IAM roles instead.
4. Add a CloudWatch alarm on root sign-in so any use becomes a paged incident.

# Root MFA has no CLI equivalent: register it in the console while signed in as root
# (Security credentials > Multi-factor authentication > Assign MFA device).
# Then verify a device is bound to the root ARN and the summary flag flips to 1.
aws iam list-virtual-mfa-devices --assignment-status Assigned \
  --query 'VirtualMFADevices[?ends_with(SerialNumber, `:mfa/root-account-mfa-device`)].SerialNumber'
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'

# Enforce MFA on human IAM users with a conditional-deny policy keyed on the MFA flag.
aws iam attach-group-policy --group-name HumanUsers \
  --policy-arn arn:aws:iam::123456789012:policy/RequireMFAForUsers

# Require MFA pool-wide on a customer-facing Cognito pool.
aws cognito-idp set-user-pool-mfa-config --user-pool-id eu-west-1_aB3cD4eFg \
  --mfa-configuration ON --software-token-mfa-configuration Enabled=true