Skip to content
Vectel
Support/Cloud platforms

We discover our AWS root account has no MFA

Root without MFA is not a minor housekeeping item, that is a full-red incident. Anyone with that password can charge unlimited spend to your card.

Try this first

  1. 1Stop other work. MFA on root first: sign in as root, go to IAM > Security credentials > Multi-factor authentication, register a hardware key or a TOTP app on a phone that is not solely on one admin.
  2. 2Store the MFA recovery codes in a vault several people can access. One person with root-MFA on only their personal phone is your next incident.
  3. 3Rotate the root password right after enabling MFA. Was it written somewhere in a wiki or mail? Assume it leaked, do not hope.
  4. 4Enable CloudTrail in every region and review the last thirty days for root login events. Unknown IPs or regions: you are breached and this becomes a data-incident question, not an IT one.
  5. 5Set a policy that root is not used for day-to-day work from now on. Create admin users in IAM Identity Center, vault root, only use it for things only root can do (close account, change support plan).

When to bring us in

CloudTrail shows unknown sessions, or resources you do not recognise (cryptominer instances in obscure regions): file with AWS Support, freeze the card through your bank, call us. This goes beyond this ticket.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works