Checking AWS root accounts for MFA

Brett Gillett

Last week we needed to develop a quick and easy way to check that Multi-Factor Authentication (MFA) was enabled for the root account for a bunch of AWS accounts.

Being a proponent of project-based learning, I decided that this would be an excellent opportunity to further my understanding of Boto3 and serverless computing in Amazon Web Services.

Here’s the list of requirements that I came up with:

  1. There were to be no servers (EC2 instances) in the solution
  2. It had to be inexpensive
  3. It had to be able to check numerous AWS accounts that were not related
  4. It had to notify a few people if it discovered an AWS account that did not have MFA enabled on its root account

Here’s a diagram of the solution.

Here are the AWS services that we ended up using to build the remote MFA checker.

Simple Storage Service (S3)

Since we’re connecting to numerous AWS accounts, we need an easy, highly secure, method of storing API keys. After discussing a ton of different options, we decided that a secured S3 bucket was the best way to go. We uploaded the file and enabled Server-Side-Encryption (SSE) and also used an S3 bucket policy to lock down access to the data.

Also, we made sure that the API keys can only do the one thing that we want - use Boto3 API calls to check for MFA on the root account.

Storing our API keys in an S3 bucket is the one thing that I would like to change about the solution - I’m still not sure if there’s a better way to do this.


Since I didn’t want to have to maintain an EC2 instance (or anything else that would have us patching) I decided to use Lambda. The job runs every day @ 05:00, pretty simple.


I wanted a way to store our results for archiving. Since the data is clearly not relational, DynamoDB won here. We created a simple table with the AWS account ID as the primary key, a timestamp as a secondary key and a single data attribute for the results of our check.

Simple Notification Service (SNS)

If we found an AWS account without MFA enabled we not only wanted to store the results in DynamoDB, but I figured that we had better let someone know as well. For now, I decided to use SNS, but I already get too much email, so maybe in version two, I’ll use Slack.

There you have it, our automated tool to monitor AWS accounts for MFA-enabled root accounts.

Brett Gillett


Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?