Components Reference — every DS-05 class rendered once

Every DS-05 component class rendered at least once
Severity rendered via three channels (icon + label + color)
Pinned framework versions present in compliance table header

This page is the visual smoke-test fixture for Phase 1. It exists so a human reviewer can confirm period authenticity (DS-01) and color-strip survival (DS-07) in a single browser tab, and so scripts/check-severity-channels.js and the class inventory lint have a stable target to grep.

Primary action Secondary action

aws-iam-01-root-mfa

Enable hardware MFA on the AWS root user

CRITICAL PREVENTIVE

CLI remediation

aws iam enable-mfa-device \
  --user-name root \
  --serial-number arn:aws:iam::<ACCOUNT_ID>:mfa/root-account-mfa-device \
  --authentication-code-1 <CODE1> \
  --authentication-code-2 <CODE2>

IaC remediation

# Terraform AWS provider ~> 5.0
# Note: root MFA is configured via the AWS console (hardware token
# registration). This Terraform resource enforces the organizational
# policy that requires it.

resource "aws_organizations_policy" "require_root_mfa" {
  name = "require-root-mfa"
  type = "SERVICE_CONTROL_POLICY"
  content = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid       = "DenyRootWithoutMFA"
      Effect    = "Deny"
      Action    = "*"
      Resource  = "*"
      Condition = {
        Bool        = { "aws:MultiFactorAuthPresent" = "false" }
        StringLike  = { "aws:PrincipalArn" = "arn:aws:iam::*:root" }
      }
    }]
  })
}

Compliance mapping

CIS AWS Foundations v3.0.0	NIST SP 800-53 rev5	ISO/IEC 27001:2022	ISO/IEC 27017:2015
1.5 — Ensure MFA is enabled for the "root" user account	IA-2(1) — Multifactor authentication to privileged accounts	A.5.17 — Authentication information	CLD.9.5.2 — Tenant access to shared services

Sources

AWS IAM User Guide: Best practices (accessed 2026-05)

Severity samples

HIGH MEDIUM LOW

Threat-model (standalone)

MITIGATES Lateral movement via overly broad IAM role trust policy.

ATTACK VECTOR Compromised EC2 instance assumes an admin role because the trust policy permits any principal in the account.

BLAST RADIUS All resources reachable by the assumed role.

Misconfiguration sample

Misconfiguration: S3 bucket with BlockPublicAcls=false and a bucket policy granting s3:GetObject to Principal: "*". Any internet client reads every object.

Callouts

Warning: Disabling MFA on the root user violates CIS AWS Foundations v3.0.0 control 1.5.

Danger: Storing root access keys on disk materially increases blast radius — rotate and delete immediately.

Info: AWS recommends hardware MFA tokens over virtual MFA for the root user.

Azure equivalent: secure the Global Administrator with privileged authentication →

Figure 1 — Root account MFA flow: console sign-in challenges the hardware token before AssumeRole succeeds. Diagram pending; described above in the threat-model "Attack vector".

Compliance badges

CIS NIST ISO

Last reviewed: 2026-05-22