I noticed the same thing last week on AWS - no requirement for 2FA when disabling 2FA on root account. Seemed strange, but I guess they figure requiring 2FA once more doesn’t add enough security..