Separation of duties & storage of AWS Root Account credentials

This guide presents a secure approach for storage and access to AWS root account credentials. It is designed for multiple AWS root accounts operated under separation of duties, but could be easily scaled down for simpler environments.

Separation of Duties

Two teams will be used throughout this document, SuperUsers and Approvers. Members of the SuperUsers group can gain access to the AWS root account to take appropriate actions, but only after collaboration with a member of the Approvers group.

AWS root accounts have four key elements for protection and segregation:

Emergency access Root password SuperUsers
Root MFA TOTP Approvers
Credentials Reset Email Security Challenge Questions
SuperUsers Approvers


Strong Passwords

Every password created in this process MUST be strong. A good approach is to:

  1. Use a password generator like Apple’s Password Assistant or LastPass with appropriate options, such as minimum length being 16 characters.

  2. Test some sample passwords (not those you will actually use) with a site like How Secure Is My Password.

Storing Credentials for AWS Root Accounts

Password management (e.g. KeychainKeePass) software will be used to protect each type of credential. This guide uses Keychain on Mac OS X for specific examples.

Two groups should be created (e.g. in Active Directory) for access management to the credentials:


Create a secure folder structure to store the credential databases:

  /SuperUsers                   # Accessible to AWSRootAccountSuperUsers only
    AWSRootPasswords.kdbx       # Root passwords
  /Approvers                    # Accessible to AWSRootAccountApprovers only
    AWSMFAKeys.kdbx             # Secrets used for MFA TOTP generation
    AWSSecurityChallenges.kdbx  # AWS security challenge answers


Was this article helpful?
0 out of 0 found this helpful