Member account root user best practices



we are using AWS Control Tower and Account Factory for account provisioning. We have protected management account root email following recomended best practices, but we are not sure about member accounts.

Provisioned member accounts are created with random pregenerated password, if we wan't to secure new account root user we have to reset its password manually using Forgotten password and then configure its MFA.

What we'd like to do is

In this case root email won't be able to do any actions. But the MFA won't be enabled so MFA for root user best practise and guardrail won't be satisfied. Also IAM dashboard will scream to all users that MFA is not enabled for root user (But we can explain our users that root email is "disabled" by SCPs).

What is the best practise here for protecting member account root user? It looks like best practices Disallow Actions as a Root User and Detect Whether MFA for the Root User is Enabled are mutually exclusive.

thanks Martin

1 Answer

Hi Martin,

One way to overcome this is to create an OU which is only used to house new accounts temporarily. This OU should not have the Disallow Actions as a Root User guardrail enabled, allowing your platform team to login and activate MFA. Then the account is ready to move to it's actual intended OU, which does have the Disallow Actions as a Root User enabled. Not a perfect solution, but it is one that I have seen with other customers.

Hope this helps!

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions