Email accounts for AWS Root Accounts

Each AWS Root Account requires a unique email address. When managing multiple AWS Root Accounts for a single organization it helps to have a clear scheme in place for managing email addresses and access to them. This guide outlines a best practice scheme for AWS Root Account email addresses.

Have a master mailbox

A master mailbox should be created where all email received to AWS accounts will be sent. For example:

aws@example.com

Have an extensible email address format

Each AWS Root Account requires a unique email address, which should be directed back to the master mailbox. For example:

aws+aaa@example.com
aws+aab@example.com
aws+aac@example.com

With email providers such as Google Apps, the plus sign is an automatic alias of the master mailbox address so scales without extra work.

Other email systems, such as Exchange, may require creation of a series of email address aliases each pointing back to the master mailbox.

Restrict mailbox access to users without access to Security Challenge Answers

It’s critical to maintain separation of duties through the reset of AWS Root Account credentials. Access to the mailbox MUST be restricted to users who do not have access to answers for the Security Challenge Questions.

Per our guide on Separation of duties & storage of AWS Root Account credentials, grant access to the master mailbox only to users in the Approvers group.

Was this article helpful?
0 out of 0 found this helpful