How to enable MFA for AWS Root user

Introduction

A root user has the highest privilege in an AWS account, hence it is important to secure it properly. An attacker with access to the Root user’s password could take over the entire AWS account.

As a security best practice, Multi Factor Authentication (MFA) must be enabled as it provides an additional layer of security. An attacker would not be able to login to an account even if they had the password as the account would require a multi factor authentication token to complete the login process.

This article provides a step by step walkthrough of how to enable MFA for your AWS Root user.

Enable MFA for Root User

You can see a quick video of how this is done by following the steps in this video:

https://youtu.be/GqeNu3FeOnI

To enable MFA for the Root User, follow the steps below:

1. Sign in to the AWS management console using the account root user credentials

2. Navigate to the IAM service

   

3. On the IAM Dashboard, check if MFA is enabled or not. In the picture below we can see that MFA has not been enabled for the root user

   

4. To enable MFA, click on Add MFA

   

5. This will open a new tab. In the new tab, click on Activate MFA

   

6. This will show a pop up with three options. You can select any one. In this article we will select the Virtual MFA device option and click on Continue

   

7. If you have the option of scanning QR code, click on Show QR code and scan it to proceed with the set up. You can also set it up using the secret key. Click on show secret key, copy the key, and set up the MFA device.

   

8. Now provide two consecutive MFA codes and click on Assign MFA. This will set up the virtual MFA device

   

9. To verify the success of the setting change, go back to the IAM dashboard and refresh the tab to confirm if the MFA has been successfully setup