Secure AWS Root Account Setup

Like root on a Linux server, the AWS Root Account has full permission to do everything. While CloudTrail logs activity by the AWS Root Account, there is no way to know (other than IP address) who was in control of the account when the activity occurred.

This guide steps through one approach to secure setup of an AWS Account and the associated root user.

Key Decisions

  1. What email address will be used for the account?

  2. How will MFA for the root account be managed?

  3. Where will the root password be stored?

  4. Where will security questions be stored?

Email accounts for AWS Root Accounts

Most organizations end up with multiple AWS accounts for different applications and teams. A scheme for managing the email accounts associated with these different AWS Accounts is important both to ensure secure operation of the credentials reset process.

See Email accounts for AWS Root Accounts for details of an appropriate scheme.

Separation of Duties

There are three ways to gain access to the AWS root account:

  1. Login to the AWS Console with credentials.
  2. API access using an Access Key and Secret Key from the Root Account.
  3. Forgot password process with AWS.

Separation of Duties ensures that no single user can obtain access, but instead to separate individuals must act in collaboration to get access.

See Separation of duties & storage of AWS root account credentials for details of an appropriate scheme.

Was this article helpful?
0 out of 0 found this helpful