AWS provides the ability to enable multi-factor authentication (MFA) for AWS root user credentials. Stax works with AWS root credentials that have MFA enabled for both reseller-owned and customer-owned accounts. See Account Ownership Models for more information around account ownership within Stax.
Why doesn't Stax enable MFA on all reseller-owned Accounts?
Stax does not enable MFA for root user credentials of all reseller-owned accounts. This is because the root credentials are not stored after creation, therefore, MFA cannot be enabled. The root credentials are auto generated by AWS at the time of account creation by leveraging the AWS Organizations API. The only way to obtain the auto generated password is via the AWS Forgotten Password flow, which requires access to the account's root user email address. The root user email address is locked down and protected with strict security controls.
Stax does not enable or manage MFA for the root user credentials of customer-owned accounts, since Stax does not have access to the root user credentials. It is your responsibility to enable and manage MFA for the root user credentials of AWS accounts that you own.
Service Control Policy (SCP) Restrictions
Stax limits the ability of root credentials to perform actions on an AWS account by enforcing a mandatory Stax-Protection Service Control Policy (SCP). This SCP is a restrictive policy, attached at the AWS Organization level that limits the actions available to root credentials. There are some actions that cannot be restricted by this SCP, these are listed here.
If you need this SCP lifted, please see Access AWS Account Root User Credentials for more information.