Member account root user best practices
Hello,
we are using AWS Control Tower and Account Factory for account provisioning. We have protected management account root email following recomended best practices, but we are not sure about member accounts.
Provisioned member accounts are created with random pregenerated password, if we wan't to secure new account root user we have to reset its password manually using Forgotten password and then configure its MFA.
What we'd like to do is
- Enable
Disallow actions as a root user
Guardrail for all OUs, which blocks all actions for root user including its MFA setup. - Don't enable a password for root user after the account is enrolled as mentioned in https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password
In this case root email won't be able to do any actions. But the MFA won't be enabled so MFA for root user best practise and guardrail won't be satisfied. Also IAM dashboard will scream to all users that MFA is not enabled for root user (But we can explain our users that root email is "disabled" by SCPs).
What is the best practise here for protecting member account root user? It looks like best practices Disallow Actions as a Root User and Detect Whether MFA for the Root User is Enabled are mutually exclusive.
thanks Martin
Hi Martin,
One way to overcome this is to create an OU which is only used to house new accounts temporarily. This OU should not have the Disallow Actions as a Root User
guardrail enabled, allowing your platform team to login and activate MFA. Then the account is ready to move to it's actual intended OU, which does have the Disallow Actions as a Root User
enabled. Not a perfect solution, but it is one that I have seen with other customers.
Hope this helps!
Relevant questions
Root Account Hacked
asked 6 months agocan i add compliance policy to root account?
asked 4 months agoMember account root user best practices
asked 5 months agoWhich AWS Account or Organization Unit should be Account Management delegated admin
asked a month agoControl Tower / Account Factory / Email Validation
asked 3 months agoCannot add AWS Management Account as member of Security Hub
Accepted Answerasked 4 months agoEnabling AWS Configuration on Control Tower Main Account
asked 6 months agoRoot account hacked and Email updated
asked 7 months agoAWS ROOT ACCOUNT: It's possible to edit email/password of root account ?
Accepted Answerasked 3 years agoHow to delete AWS member account if there is no access to email used to create that account?
Accepted Answerasked 4 months ago