AWS has taken a major step forward in securing root user credentials by now enforcing multi‑factor authentication (MFA) for root users across all account types—including standalone, management, and member accounts. This latest AWS Identity and Access Management (IAM) update closes the gap for member account root users, building a stronger foundation in AWS’s “secure by design” mindset.
What’s new?
AWS has been rolling out root-user MFA gradually since mid 2024:
- May 2024: MFA mandated for Organizations management account roots.
- June 2024: Requirement applied to standalone account roots.
- Nov 2024: Centralized root access control became available.
(And now…) June 17, 2025: AWS extends root MFA enforcement to member accounts, requiring all root users to set up MFA within 35 days of console sign‑in if it’s not already configured. A member account refers to any account that is part of an AWS Organization but is not the management (formerly “master”) account.
Why MFA Matters?
Enabling Multi-Factor Authentication (MFA) significantly enhances the security of your AWS environment by adding an extra layer of protection beyond just a username and password. It helps prevent unauthorized access even if credentials are compromised, as access requires a second authentication factor—such as a passkey, mobile app, or hardware token. This dramatically reduces the risk of account breaches due to phishing, brute-force attacks, or credential leaks. For critical accounts like the AWS root user, MFA is especially important because these accounts have unrestricted access to resources and configurations. By enabling MFA, organizations strengthen their security posture with minimal cost and effort while aligning with industry best practices for identity protection.
“The Big 3” are in agreement of the benefits of enabling the same, quoting that enabling MFA can significantly reduce account password breaches.
AWS: “MFA stops over 99% of password-related breaches—at no cost“
Microsoft: “MFA can block over 99.9% of account compromise attacks.”
Google (Quoting CISA): “MFA makes users 99% less likely to be hacked”
Getting Started
To enable MFA for the AWS Root User of a single account, follow these steps:
- Browse to the AWS Console and log in using the root user email and password.
- Once signed into the AWS Console, click on your account name (top-right corner) and select “Security credentials”.
- Scroll to the Multi-factor authentication (MFA) section and select “Assign MFA Device” (It is possible to assign multiple MFA devices, up to a maximum of 8, if the root user is shared by several stakeholders)
- Select your preferred MFA method e.g. Security Key, Virtual MFA Device or Hardware MFA Device (The latter is considered the most secure but be careful where you store that MFA device so it is not lost or stolen)
- Follow the prompts to complete the MFA device setup.
Managing Multiple Root User Accounts
The above is straight forward and a quick process for a single AWS account, but if you are managing multiple AWS Accounts at scale this can become a time consuming exercise and prone to error. If you are interested in centrally managing Root Access for many accounts including reducing the attack surface, then have a read over one my previous blog posts here.
References
Announcement: AWS IAM now enforces MFA for root users across all account types
Blog Post: Introducing Centralized Management of Root Access for AWS Organizations
About
With over 20 years in the technology sector, Keith has spent the last decade providing consultancy, support, and strategic direction to customers across multiple cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.