AWS Security ChangesHomeSearch

AWS IAM high security documentation change

Service: IAM · 2025-04-16 · Security-related high

File: IAM/latest/UserGuide/enable-mfa-for-root.md

Summary

Updated MFA enforcement policy to require MFA for all root users across all account types within 35 days

Security assessment

Strengthens security requirements for root user MFA enforcement across all AWS accounts, addressing a critical security control

Diff

diff --git a/IAM/latest/UserGuide/enable-mfa-for-root.md b/IAM/latest/UserGuide/enable-mfa-for-root.md
index b5e5ee914..c6fcac571 100644
--- a//IAM/latest/UserGuide/enable-mfa-for-root.md
+++ b//IAM/latest/UserGuide/enable-mfa-for-root.md
@@ -13 +13 @@ Multi-factor authentication (MFA) is a simple and effective mechanism to enhance
-Starting May 2024, all root users are required to enable MFA during their next sign-in if MFA is not already enabled. Users can postpone MFA registration for up to 35 days by skipping the prompt. After 35 days, enabling MFA becomes mandatory to proceed with sign-in and to access the AWS Management Console. For root users of AWS Organizations member accounts, MFA registration is currently optional, but enforcement is planned for Spring 2025.
+All AWS account types (standalone, management, and member accounts) require MFA to be configured for their root user. Users must register MFA within 35 days of their first sign-in attempt to access the AWS Management Console if MFA is not already enabled.