AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-03-10 · Documentation low

File: securityhub/latest/userguide/iam-controls.md

Summary

Expanded documentation for MFA root user control checks and failure conditions

Security assessment

Clarifies security control behavior without evidence of addressing a specific vulnerability

Diff

diff --git a/securityhub/latest/userguide/iam-controls.md
index 3cf3b81dc..38a4fd7fe 100644
--- a/securityhub/latest/userguide/iam-controls.md
+++ b/securityhub/latest/userguide/iam-controls.md
@@ -304 +304 @@ After you identify the inactive accounts or unused credentials, deactivate them.
-The root user has complete access to all the services and resources in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to the AWS Management Console, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
+This control checks whether multi-factor authentication (MFA) is enabled for the IAM root user of an AWS account to sign in to the AWS Management Console. The control fails if MFA isn't enabled for the root user of the account.
@@ -306 +306,12 @@ The root user has complete access to all the services and resources in an AWS ac
-When you use virtual MFA for the root user, CIS recommends that the device used is _not_ a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.
+The IAM root user of an AWS account has complete access to all the services and resources in the account. If MFA is enabled, the user must enter a username, a password, and an authentication code from their AWS MFA device in order to sign in to the AWS Management Console. MFA adds an extra layer of protection on top of a username and password.
+
+This control generates `PASSED` findings in the following cases:
+
+  * Root user credentials are present in the account and MFA is enabled for the root user.
+
+  * Root user credentials aren’t present in the account.
+
+
+
+
+The control generates `FAILED` findings if root user credentials are present in the account and MFA isn’t enabled for the root user.
@@ -310 +321 @@ When you use virtual MFA for the root user, CIS recommends that the device used
-To enable MFA for the root user, see [Activate MFA on the AWS account root user](https://docs.aws.amazon.com/accounts/latest/reference/root-user-mfa.html) in the _AWS Account Management Reference Guide_.
+For information about enabling MFA for the root user of an AWS account, see [Multi-factor authentication for the AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-mfa-for-root.html) in the _AWS Identity and Access Management User Guide_.