Skip to main content
emnode / learn
Compliance Critical severity

AWS Security Hub · IAM

IAM.9: The root user can sign in without MFA

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub IAM.9 check?

IAM.9 (and the related IAM.6) fail when the root user can sign in to the console without multi-factor authentication enabled.

Why does IAM.9 matter?

Root with only a password is one credential-stuffing or phishing event away from total account compromise. Because root bypasses IAM policies and SCPs, MFA is the single most important control protecting it. Hardware MFA is strongly preferred so the second factor cannot be phished or SIM-swapped.

How do I fix IAM.9?

  1. Sign in as root and enable MFA from My Security Credentials.
  2. Prefer a hardware security key (FIDO2) or a dedicated hardware TOTP device over a phone app for the root user.
  3. Store the device securely and document the recovery process so root stays usable without weakening it.

Remediation script · bash

# Root MFA has no CLI equivalent: register it in the console while signed in as root
# (Security credentials > Multi-factor authentication > Assign MFA device).
# Then verify a device is bound to the root ARN and the summary flag flips to 1.
aws iam list-virtual-mfa-devices --assignment-status Assigned \
  --query 'VirtualMFADevices[?ends_with(SerialNumber, `:mfa/root-account-mfa-device`)].SerialNumber'
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'

# Enforce MFA on human IAM users with a conditional-deny policy keyed on the MFA flag.
aws iam attach-group-policy --group-name HumanUsers \
  --policy-arn arn:aws:iam::123456789012:policy/RequireMFAForUsers

# Require MFA pool-wide on a customer-facing Cognito pool.
aws cognito-idp set-user-pool-mfa-config --user-pool-id eu-west-1_aB3cD4eFg \
  --mfa-configuration ON --software-token-mfa-configuration Enabled=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable MFA for root and IAM users.

Full lesson Enable MFA for root and IAM users Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for IAM controls ↗ Check your own account for IAM.9 →
Part of the learning path Lock down access

More IAM controls

  • IAM.1 A policy grants full "*" administrative privileges
  • IAM.2 Policies attached directly to users do not scale or audit cleanly
  • IAM.3 Long-lived access keys have not been rotated
  • IAM.4 The root user still has long-lived access keys
  • IAM.5 Console users without MFA are one phish from compromise
  • IAM.6 The root user is not protected by hardware MFA
  • IAM.7 The IAM password policy is too weak
  • IAM.8 Unused IAM keys and passwords are waiting to be leaked
  • IAM.10 IAM user password policies should be strong (PCI DSS)
  • IAM.19 MFA should be enabled for all IAM users
  • IAM.21 Wildcard permissions grant far more access than intended
  • IAM.22 IAM credentials unused for 45 days should be removed