MFA required for AWS Organizations member accounts in 2025

Amazon will require MFA on member accounts in AWS Organizations beginning in Spring 2025, the company announced Friday.

Amazon's latest announcement comes at the heels of other tech giants similarly announcing expansions of their MFA requirements. Last week, Google Cloud announced it would roll out MFA requirements for all users beginning this month until the end of next year. Microsoft made a similar announcement for Azure users in August, though all three cloud providers have been discussing MFA mandates for longer.

AWS, for example, first announced it would expand MFA requirements in October of last year. Amazon CSO Steve Schmidt wrote in a blog post at the time that beginning in mid-2024, "customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed," with plans to expand this requirement through the end of the year.

The company began requiring MFA for AWS Organization management account root users in large environments starting in May. In June, Amazon added support for FIDO2 passkeys as an authentication method while at the same time expanding requirements to root users in standalone accounts.

Arynn Crow, principal product manager of account protection for AWS Identity, wrote in a blog post on Friday that since launching FIDO2 passkey support in June, "customer registration rates for phishing-resistant MFA increased by over 100%" and that more than 750,000 AWS root users enabled MFA.

In its latest expansion of this MFA initiative, AWS announced, "Customers who have not enabled central management of root access will be required to register MFA for their AWS Organizations member account root users in order to access the AWS Management Console" beginning in Spring 2025. Crow wrote that changes will be rolled out gradually and customers required to take action will be notified on an individual basis in advance "to help customers adhere to the new requirements while minimizing impact to their day-today operations."

For customers required to use MFA, Amazon allows for virtual authenticator apps; hardware time-based one-time tokens; and FIDO2 authentication methods, including security keys and synchronizable passkeys.

On Friday AWS also introduced a capability to manage root access for accounts under an AWS Organization, which the company said will help customers eliminate unnecessary passwords.

"This capability enables customers to greatly reduce the number of passwords they have to manage while still maintaining strong controls over the use of root principals," the blog read. "Customers can now enable centralized root access with a simple configuration change through the IAM console or the AWS CLI. Then, customers can remove the longterm credentials (including passwords or long-term access keys) of member account root users in their organizations. This will improve the security posture of our customers while simultaneously reducing their operational effort."

Asked about why so many major companies are currently rolling out MFA requirements, Crow told TechTarget Editorial it comes down to a confluence of factors, such as the security incidents observed in the time since the COVID-19 pandemic began as well as developments in authentication technology.

"We determined it was the right time to make MFA the default security posture for our customers. We also had inputs from the industry at large and data we could see internally that told us that it was the right control," she said.

As for organizations' readiness, Crow said AWS hasn't seen any customer pushback against implementing MFA, and feedback has been "really positive." Part of it, she said, is that there's some form of MFA for everybody. Additionally, AWS rolled out requirements gradually.

"When we first started talking about this program, we took a lot of dependencies internally on when we would enable the different stages of this program," she said. "For example, before we wanted to expand to standalone accounts in our smaller customer base, it was essential for us to make sure that we had something like FIDO2 passkeys available that we thought would be really generally appealing and usable by a really broad base of customers."

Crow also highlighted the new feature to centrally manage root access for AWS Organizations member accounts. "And then we also very purposefully waited to announce the expansion of these requirements to our member accounts because we wanted something like the centralized root access features available to make it more manageable for customers in really scaled environments. We had a lot of consideration go into how to make sure that we can support our customers and bring them along in this journey."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.