Multiple AWS Account setup
I have a personal AWS account and manage multiple AWS accounts for my company. AWS does not allow the same phone number across multiple accounts. What are the best practices for this scenario? And should we use a personal phone number for company owned AWS accounts?
A best practice is to use AWS Organizations to manage multiple accounts. You can easily add accounts tied to your organization with just an email address.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html
As hayao-k
has already pointed out, AWS Organisations is the best way to manage multiple accounts for the same company.
However, I would strongly advise against using any of your personal accounts/numbers when managing AWS accounts for a company. Things can get very nasty/legal if you part ways on bad terms, especially if everything is still tied to you personally. You'd be better off creating a new (free) "Root" account for the company and then adding existing accounts to it.
Are you referring to not being able to use the same phone number for SMS based MFA across multiple accounts? If so, I would point you to some news that broke a few years ago when NIST changed their policy to advise against using SMS for MFA.
Password managers like 1Password have special Teams accounts that not only store account credentials but also provide virtual MFA devices to be used instead of SMS. Credentials can be securely shared amongst specific company staff that require root logins for AWS accounts.
When organising multiple accounts under AWS Organisations I would also advice the use of a hardware MFA token for the main company "root" account.
It sounds like you are the administrator for multiple AWS Accounts for your company.
AWS recommends for professional AWS Accounts, to use company contact info such as a company phone number and email address rather than individual contact info. If the root user is configured with personal contact information (email, phone number), this becomes difficult to recover if the individual leaves the company. More information here: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html
To that end, you can set alternate contacts for the AWS Account as some others have mentioned for Billing, Operations, and Security. https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html#manage-acct-update-contact-alternate.
While you could use Organizations, which is great for multi-account management, it could be a lot for a handful of accounts. When using Organizations, keep in mind the following info will be copied to new accounts (Account Name, Phone Number, Company Name, Company Contact Email, etc). For pre-existing accounts, you could move those accounts into an Organization via an invite as well. The company contact email could be a distribution list or a company-managed group email as well.
There's a lot to consider here with managing multiple accounts! As others have said, best practice is to keep your personal accounts completely separate from your company's AWS Accounts.
When setting up multiple accounts you can also define alternate contact types specific to Billing, Operations, and Security. Alternate contacts allows AWS to contact another person about issues with your account, even if you're unavailable. The alternate contact doesn't have to be a specific person. You could instead add an email distribution list if you have a team that is responsible for managing billing, operations and security related issues.
This way when alternate contacts are configured you have the relevant info from below sent to the right people across all accounts.
- Billing - When your monthly invoice is available, or your payment method needs to be updated. If your Receive PDF Invoice By Email is turned on in your Billing preferences, your alternate billing contact will receive the PDF invoices as well. Notifications can be from AWS Support, or other AWS service teams.
- Operations - When your service is, or will be, temporarily unavailable in one of more Regions. Any notification related to operations. Notifications can be from AWS Support, or other AWS service teams.
- Security - When you have notifications from the AWS Security, AWS Trust and Safety, or AWS service teams. These notifications might include security issues or potential abusive or fraudulent activities on your AWS account. Notifications can be from AWS Support, or other AWS service teams concerning security related topics associated with your AWS account usage. Do not include sensitive information in the subject line or full name fields since this might be used in email communications to you.
Relevant questions
Multiple AWS Account setup
Accepted Answerasked 6 months agoHow to manage ECS Clusters across accounts?
asked 7 months agoHow does the Route 53 Resolver share endpoints across multiple accounts and VPCs?
Accepted Answerasked 3 years agoShould I use one account or multiple accounts?
Accepted Answerasked 4 months agoHow to get the list of fleets available across all the AWS accounts.
Accepted Answerasked 2 months agoHow to have multiple VPCs in different AWS accounts use the same physical AWS Direct Connect circuit.
Accepted Answerasked 4 years agoDoes Systems Manager Patch Manager allow patching across multiple accounts and regions?
Accepted AnswerRecommended setup for Grafana, Thanos, Prometheus, and AWS split accounts
asked 3 months agoAppConfig and Multiple Accounts
asked 5 months agoCentral ECR for ECS in multiple accounts
Accepted Answer