How does EchelonGraph detect CIS AWS 1.6 violations?

EchelonGraph automatically detects CIS AWS 1.6 violations using scanner rule CIS-AWS-1-6. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 1.6?

What MFA type is on root? Hardware key custodian? Dual-control safe?

🟠CIS AWS 1.6Rule: CIS-AWS-1-6critical

Hardware MFA on root account

Description

Use hardware MFA (YubiKey or equivalent FIDO2) on AWS root account.

⚠️ Risk Impact

SMS + TOTP MFA can be bypassed (SIM swapping, phishing). Hardware MFA on root is the strongest baseline for AWS account security.

🔍 How EchelonGraph Detects This

CIS-AWS-1-6Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Configure FIDO2 hardware key on root. Store hardware key in dual-control safe.

💀 Real-World Attack Scenario

A SaaS company's root account had SMS-based MFA. Attackers performed SIM swap + accessed the root account, granted themselves IAM admin, exfiltrated customer data. Recovery: $1.8M + customer trust impact.

💰 Cost of Non-Compliance

Avg compromised-root-account breach: $1-5M (AWS-specific cost data).

📋 Audit Questions

1.What MFA type is on root?
2.Hardware key custodian?
3.Dual-control safe?

🎯 MITRE ATT&CK Mapping

T1078 — Valid Accounts

⚡ Common Pitfalls

⛔SMS MFA on root
⛔Single-custodian hardware key (no fallback)
⛔Hardware key in unsecured location

📈 Business Value

Hardware MFA on root is the strongest AWS account-level defense.

⏱️ Effort Estimate

Manual

1 hour per account

With EchelonGraph

EchelonGraph audits MFA type via IAM API

🔗 Cross-Framework References

NIST-IA-5

Automate CIS AWS 1.6 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →