Securing Your AWS Root Account: A Step-by-Step Guide to Enabling MFA with a Virtual Authenticator App
The AWS root account is the most privileged identity in your entire AWS organization — it bypasses all IAM policies and cannot be restricted. Leaving it unprotected with just a password is the single highest-risk security gap you can have on day one of a new AWS account. TL;DR Step Action Where 1 Sign in as root user AWS Console login page 2 Open Security Credentials Top-right account menu 3 Assign MFA device IAM > Security credentials > MFA 4 Choose Virtual MFA device MFA device wizard 5 Scan QR code in authenticator app Google Authenticator / Authy / 1Password 6 Enter two consecutive OTP codes MFA wizard confirmation 7 Verify MFA is active Security credentials page Why the Root Account Demands Special Treatment Every AWS account has exactly one root user, identified by the email address used during account creation. Unlike IAM users or roles, the root user: Cannot be rest...