Score:0

Best practice for AWS root account or superuser?

br flag

Normally, we have the rule of 3 people having superuser access with 3 username/passwords and if anyone is ever offboarded(they leave or are fired), on vacation, out sick, different time-zone, someone has access still and we are never crippled. When looking at AWS, I don't get why it seems there is only one AWS 'root account' and password. It would seem the person with the keys to the castle is not in a position to ever be fired in this case or rather he will know as soon as you ask him for the single account (when it is tied to MFA especially).

Am I missing something? Is there a 'superuser' we can add for 2 more people that has the power to remove the root account?

In devops, this has been done for years in linux, windows, etc.

Oh, for compliance, all accounts will need MFA enabled as well which means we can't share this root account really either. How are others handling this so 3 different people can support the company while others are out sick?

Oh man, what if the guy with the root password/login died. Would the company be screwed?

thanks!

us flag
Rob
To reply to your edit: https://serverfault.com/a/1062750/960939
Score:3
us flag
Rob

There are only very very few tasks that really require the AWS root account or the equivalent management account in AWS Organizations .

See:

Assign your fellow administrators proper roles and delegate the relevant permissions to the correct people and root access should hardly ever be needed. Then it can be difficult by design to get that root access and for example require a trip to the office to get the MFA token from the company safe.

It sounds like your organisation is large enough that you should have already made switch to AWS Organizations: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

Then follow for example the guidelines in:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.