By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Multiple AWS Account setup

0

I have a personal AWS account and manage multiple AWS accounts for my company. AWS does not allow the same phone number across multiple accounts. What are the best practices for this scenario? And should we use a personal phone number for company owned AWS accounts?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Security HubAWS Account Management
Language
English
Berlin
asked 2 years ago1215 views
4 Answers
3

A best practice is to use AWS Organizations to manage multiple accounts. You can easily add accounts tied to your organization with just an email address.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html

profile picture
hayao-k
answered 2 years ago
3

As hayao-k has already pointed out, AWS Organisations is the best way to manage multiple accounts for the same company.

However, I would strongly advise against using any of your personal accounts/numbers when managing AWS accounts for a company. Things can get very nasty/legal if you part ways on bad terms, especially if everything is still tied to you personally. You'd be better off creating a new (free) "Root" account for the company and then adding existing accounts to it.

Are you referring to not being able to use the same phone number for SMS based MFA across multiple accounts? If so, I would point you to some news that broke a few years ago when NIST changed their policy to advise against using SMS for MFA.

Password managers like 1Password have special Teams accounts that not only store account credentials but also provide virtual MFA devices to be used instead of SMS. Credentials can be securely shared amongst specific company staff that require root logins for AWS accounts.

When organising multiple accounts under AWS Organisations I would also advice the use of a hardware MFA token for the main company "root" account.

Daniel Craigie
answered 2 years ago
2
Accepted Answer

It sounds like you are the administrator for multiple AWS Accounts for your company.

AWS recommends for professional AWS Accounts, to use company contact info such as a company phone number and email address rather than individual contact info. If the root user is configured with personal contact information (email, phone number), this becomes difficult to recover if the individual leaves the company. More information here: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html

To that end, you can set alternate contacts for the AWS Account as some others have mentioned for Billing, Operations, and Security. https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html#manage-acct-update-contact-alternate.

While you could use Organizations, which is great for multi-account management, it could be a lot for a handful of accounts. When using Organizations, keep in mind the following info will be copied to new accounts (Account Name, Phone Number, Company Name, Company Contact Email, etc). For pre-existing accounts, you could move those accounts into an Organization via an invite as well. The company contact email could be a distribution list or a company-managed group email as well.

There's a lot to consider here with managing multiple accounts! As others have said, best practice is to keep your personal accounts completely separate from your company's AWS Accounts.

jsonc
answered 2 years ago
2

When setting up multiple accounts you can also define alternate contact types specific to Billing, Operations, and Security. Alternate contacts allows AWS to contact another person about issues with your account, even if you're unavailable. The alternate contact doesn't have to be a specific person. You could instead add an email distribution list if you have a team that is responsible for managing billing, operations and security related issues.

This way when alternate contacts are configured you have the relevant info from below sent to the right people across all accounts.

  • Billing - When your monthly invoice is available, or your payment method needs to be updated. If your Receive PDF Invoice By Email is turned on in your Billing preferences, your alternate billing contact will receive the PDF invoices as well. Notifications can be from AWS Support, or other AWS service teams.
  • Operations - When your service is, or will be, temporarily unavailable in one of more Regions. Any notification related to operations. Notifications can be from AWS Support, or other AWS service teams.
  • Security - When you have notifications from the AWS Security, AWS Trust and Safety, or AWS service teams. These notifications might include security issues or potential abusive or fraudulent activities on your AWS account. Notifications can be from AWS Support, or other AWS service teams concerning security related topics associated with your AWS account usage. Do not include sensitive information in the subject line or full name fields since this might be used in email communications to you.
RoB
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content