AWS Security ChangesHomeSearch

AWS IAM high security documentation change

Service: IAM · 2025-04-16 · Security-related high

File: IAM/latest/UserGuide/root-user-best-practices.md

Summary

Updated MFA requirements to mandate configuration for all AWS account types (including member accounts) rather than optional for member accounts

Security assessment

The change enforces MFA for root users across all account types, closing a previous security gap where member accounts had optional MFA. This directly addresses account security hardening.

Diff

diff --git a/IAM/latest/UserGuide/root-user-best-practices.md b/IAM/latest/UserGuide/root-user-best-practices.md
index f397badb7..b93d6141d 100644
--- a//IAM/latest/UserGuide/root-user-best-practices.md
+++ b//IAM/latest/UserGuide/root-user-best-practices.md
@@ -79 +79 @@ Because a root user can perform privileged actions, it's crucial to add MFA for
-We strongly recommend enabling multiple MFA devices for your root user credentials to provide additional flexibility and resiliency in your security strategy. For standalone accounts and management accounts, MFA enforcement requires root users to register MFA within 35 days of their first sign-in attempt if it is not already enabled. For member accounts, MFA setup is currently optional, but enforcement is planned for Spring 2025, requiring MFA registration within 35 days to proceed to the AWS Management Console.
+We strongly recommend enabling multiple MFA devices for your root user credentials to provide additional flexibility and resiliency in your security strategy. All AWS account types (standalone, management, and member accounts) require MFA to be configured for their root user. Users must register MFA within 35 days of their first sign-in attempt to access the AWS Management Console if MFA is not already enabled.