AWS-001 Amazon Web Services (AWS)

Root account MFA is enabled.

Domain: Amazon Web Services (AWS)
Area: Account / Root
Automated / manual: Automated

Risk if it fails

Root has unrestricted power; without MFA a single leaked password = full takeover.

If root has no second factor, anyone who phishes or guesses the master password owns the entire account — they can delete everything, spin up crypto-mining, and lock the real owner out.

How Tess tests it

1 test — each concludes only on cited evidence.

Root account MFA is enabled.

Automated

Procedure: Inspect IAM credential report / account summary and confirm MFA is active on the root user.

Read-only command

aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'
# Expect: 1

More in Amazon Web Services (AWS)

AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced. AWS-005 MFA is enabled for all IAM users with console access.

Want Tess to test AWS-001 against your evidence?

Book a demo