Managing AWS root users has always been challenging.
Every member account in an AWS organization comes with its own root credentials, and as accounts multiply, so does the complexity of enforcing strong controls like MFA.
Many teams have struggled to keep up, which often leads to skipped protections and increased risk.
In November 2024, AWS introduced centralized root access to solve this problem. Instead of configuring MFA separately for every account, you can now manage root access from a single, central location.
While in theory, it should simplify life for security teams, in practice, it has caused some confusing alerts in Cloud Native Application Protection Platforms (CNAPPs).
What did the new AWS feature change?
The centralized root feature allows administrators to manage root access at the organization level. Rather than tracking MFA settings and credentials for each individual member account, you can now enforce controls centrally.
The benefits are straightforward:
- Less complexity: No more juggling MFA for dozens or hundreds of member accounts.
- Fewer gaps: A centralized root makes it harder for overlooked accounts to slip through without protection.
- Stronger consistency: Security policies apply across the organization, not account by account.
On paper, this is a major step forward. In practice, it exposed a blind spot in how CNAPPs evaluate root user security.
The alerts security teams didn’t expect
When one of our customers enabled centralized root access, their CNAPP (Wiz) immediately triggered alerts for every member account: “The root user does not have MFA enabled.”
At first glance, it looked like the new AWS feature had failed. The alerts implied that root credentials still existed in each account without MFA protection. In reality, the CNAPP couldn’t distinguish between two very different scenarios:
- A root user with no MFA.
- A root user with centralized access, where credentials no longer exist locally.
This made it appear as though the environment was insecure, even though centralized root was functioning as intended.
How Tamnoon validated and solved it
To verify what was really happening, we went directly to AWS. Running the command aws iam get-account-summary revealed the true state of each member account.
Two key values made the difference:
- AccountPasswordPresent
AccountAccessKeysPresent
If both values return 0, root has been centralized and local credentials no longer exist. If they return 1, the account still has root credentials, and MFA must be enabled.
With this logic in hand, we disabled the CNAPP’s default rule and built a custom rule to check these values instead. The result was clear, accurate detection of whether root access was centralized or unsecured, and no more false alerts across dozens of accounts.
The good news for Wiz customers
On February 17, 2025, Wiz updated its platform to account for centralized root access automatically. That means the custom rule we built is no longer required for Wiz environments. Alerts now reflect the true state of root credentials, reducing confusion and unnecessary noise for security teams.
What about other CNAPPs?
Not every CNAPP has updated its logic yet. If your platform still flags missing MFA on member accounts after enabling centralized root, you’ll need to confirm whether those alerts are accurate or noise.
The fastest way is to validate directly with AWS IAM commands:
Check for centralized root
aws iam get-account-summary
Look at AccountPasswordPresent and AccountAccessKeysPresent. If both return 0, root is centralized.
Confirm MFA assignments
aws iam list-virtual-mfa-devices --assignment-status Assigned
Check for root access keys
aws iam list-access-keys --user-name <root_user>
Review password policy and usage
aws iam get-account-password-policy
aws iam get-credential-report
Audit activity
aws cloudtrail lookup-events --lookup-attributes
AttributeKey=Username,AttributeValue=<root_user>
aws iam get-account-authorization-details
These checks give you a reliable way to confirm whether root is actually exposed, even if your CNAPP hasn’t caught up yet. In the meantime, consider adjusting or creating custom rules to cut down on unnecessary alerts until your vendor updates their logic.
Validating root MFA the right way
Centralized root access is a welcome improvement from AWS. It simplifies account management, reduces the risk of skipped MFA, and makes it easier to enforce consistent security. The challenge is that monitoring tools are still catching up.
If you rely on CNAPPs, expect some noisy alerts until vendors fully align with AWS’s changes. In the meantime, use AWS IAM commands to validate root status directly and tune your CNAPP rules so your team can focus on real risks.
At Tamnoon, this is the work we do every day: helping customers separate noise from signal and adapt quickly as cloud security evolves.
Need help cutting through alert noise? Talk to Tamnoon.
