Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Best practices on storing root credentials

0

I have a customer with 60+ AWS accounts. They would like to learn about best practices for storing root credential passwords and OTP seeds. I suppose there are multiple ways of doing this, ranging from only storing the OTP seeds and generating a new password when using the mailboxes, to splitting the storage of the seeds and passwords across two different vaults. Do we have any published guidance on how best to implement this?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
Management & GovernanceSecurity, Identity, & Compliance
Language
English
AWS
asked a year ago326 views
3 Answers
1

Hey there - I wanted to make sure you were aware of a feature that launched in November 2024 which allows you to centrally manage root access.

Blog Post: https://aws.amazon.com/blogs/aws/centrally-managing-root-access-for-customers-using-aws-organizations/

User Guide: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html

After being enabled, new accounts you create in Organizations have no root user credentials by default. It also allows you to specifically perform certain tasks that are needed by root credentials:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user-privileged-task.html

AWS
answered a year ago
0

There are several best practices that can be followed when it comes to storing root credential passwords and OTP (One-Time Password) seeds for organizations with multiple AWS accounts. Here are some recommendations:

Use a Password Manager:
    Implement a secure password manager solution, such as AWS Secrets Manager, HashiCorp Vault, or a third-party password management tool.
    Store the root account passwords and OTP seeds in the password manager, which provides encryption, access control, and audit logging capabilities.
    Ensure that the password manager is accessible only to authorized personnel, such as IT administrators or security teams.

Separate Storage for Passwords and OTP Seeds:
    Consider storing the root account passwords and OTP seeds in separate locations or vaults, such as different AWS Secrets Manager or HashiCorp Vault instances.
    This approach adds an additional layer of security, as an attacker would need to compromise both storage locations to gain full access to the root account credentials.

Multi-factor Authentication (MFA):
    Enforce the use of MFA for all root accounts, even when the passwords are stored securely.
    This ensures that even if the password is compromised, the attacker still requires the second factor (the OTP) to access the root account.
    Regularly rotate the OTP seeds and update them in the password manager or separate OTP seed storage.

Least Privilege Access:
    Limit the number of users or roles that have access to the root account credentials, following the principle of least privilege.
    Establish a clear process and approval workflow for accessing the root account credentials, ensuring that access is granted only when necessary and to authorized personnel.

Monitoring and Auditing:
    Implement robust logging and monitoring mechanisms to track all access and usage of the root account credentials.
    Regularly review the access logs and audit trails to detect any suspicious or unauthorized activities.
    Integrate the logging and monitoring with your security information and event management (SIEM) solution for centralized security monitoring.

Incident Response and Disaster Recovery:
    Develop a clear incident response plan for compromised root account credentials or OTP seeds.
    Ensure that you have a documented and tested disaster recovery process to quickly revoke and replace the compromised credentials, if necessary.

Organizational Governance:
    Establish clear policies and procedures for the management of root account credentials and OTP seeds across your 60+ AWS accounts.
    Ensure that these policies are consistently applied and monitored across the entire organization.
    Regularly review and update the policies to adapt to changes in security best practices and regulatory requirements.

While there is no single "one-size-fits-all" solution, the recommendations above provide a solid foundation for securely storing and managing root account credentials and OTP seeds for organizations with multiple AWS accounts. It's essential to tailor the implementation based on your specific security requirements, organizational structure, and industry regulations.

Additionally, you may want to consult AWS security whitepapers, such as the "AWS Security Best Practices" document, for more comprehensive guidance on AWS security practices.

answered a year ago
0

Guidance/recommendation from AWS is not to store any root credentials. We released new guidance using Central Root Access Management. With this new feature you don't have to manage root credentials. Enable this feature and delete root credentials from central management account and you are secure and safe. https://repost.aws/articles/ARIppLTq8lTaifWGqxGfAaDg/securing-the-cloud-the-evolution-and-future-of-aws-root-access-management-mfa-integration-and-mfa-adoption-timelines-for-enhanced-security-design https://aws.amazon.com/blogs/security/secure-root-user-access-for-member-accounts-in-aws-organizations/

AWS
EXPERT
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content