Let’s talk about the keys to the kingdom. Your AWS root account is exactly that – unrestricted access to everything, including billing. I’ve seen organizations get completely wiped out because this account was compromised.
This isn’t just “important”; it’s foundational. If your root account doesn’t have hardware MFA enabled, you’re leaving the front door wide open for an attacker to delete resources, exfiltrate data, and run up astronomical bills. IAM policies cannot limit the root account.
This is a basic, non-negotiable step. Use a physical hardware MFA device. Never use SMS or virtual MFA for root. You can check your current status with:
aws iam get-account-summary –query ‘SummaryMap.AccountMFAEnabled’
Enable it, secure it, then lock it away and never touch it for daily operations.
The fix
# Check root MFA status
aws iam get-account-summary --query ''SummaryMap.AccountMFAEnabled'
Reference: CIS AWS Foundations Benchmark 1.5