How to manage root user by multiple people

Question

Our group wants to store keys by using  AWS KMS for prevent one of us from using the key without permission.
We wants to configure a system that it needs everyone's approval when anyone uses the key.

I think we can acheive this by using AWS Systems Manager or any other external application.
But I think the person who can access as root user still can use the key if he try.

I know we can set up MFA and separate the MFA device from the person who knows password of root user, but i think it doesn't become a solution to the root of the problem.

So, is there any service or idea that prevent root user from using the key freely?

Answer

As for best practice, besides [best practices to protect root user](https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html), you could set up GuardDuty, which have a finding: [IAM Root Credential Use](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage).

If you require a higher level of security, you can take a look at [CloudHSM](https://aws.amazon.com/en/cloudhsm/features/) to check if it might be an adequate solution.

How to manage root user by multiple people

関連するコンテンツ