By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Member account root user best practices

0

Hello,

we are using AWS Control Tower and Account Factory for account provisioning. We have protected management account root email following recomended best practices, but we are not sure about member accounts.

Provisioned member accounts are created with random pregenerated password, if we wan't to secure new account root user we have to reset its password manually using Forgotten password and then configure its MFA.

What we'd like to do is

In this case root email won't be able to do any actions. But the MFA won't be enabled so MFA for root user best practise and guardrail won't be satisfied. Also IAM dashboard will scream to all users that MFA is not enabled for root user (But we can explain our users that root email is "disabled" by SCPs).

What is the best practise here for protecting member account root user? It looks like best practices Disallow Actions as a Root User and Detect Whether MFA for the Root User is Enabled are mutually exclusive.

thanks Martin

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Control TowerAWS Organizations
Language
English
Martin Halamicek
asked 2 years ago1365 views
1 Answer
0

Hi Martin,

One way to overcome this is to create an OU which is only used to house new accounts temporarily. This OU should not have the Disallow Actions as a Root User guardrail enabled, allowing your platform team to login and activate MFA. Then the account is ready to move to it's actual intended OU, which does have the Disallow Actions as a Root User enabled. Not a perfect solution, but it is one that I have seen with other customers.

Hope this helps!

AWS
str3tch
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content