Best practice for AWS root account or superuser?

Normally, we have the rule of 3 people having superuser access with 3 username/passwords and if anyone is ever offboarded(they leave or are fired), on vacation, out sick, different time-zone, someone has access still and we are never crippled. When looking at AWS, I don't get why it seems there is only one AWS 'root account' and password. It would seem the person with the keys to the castle is not in a position to ever be fired in this case or rather he will know as soon as you ask him for the single account (when it is tied to MFA especially).

Am I missing something? Is there a 'superuser' we can add for 2 more people that has the power to remove the root account?

In devops, this has been done for years in linux, windows, etc.

Oh, for compliance, all accounts will need MFA enabled as well which means we can't share this root account really either. How are others handling this so 3 different people can support the company while others are out sick?

Oh man, what if the guy with the root password/login died. Would the company be screwed?

thanks!

There are only very very few tasks that really require the AWS root account or the equivalent management account in AWS Organizations .

See:

• https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root

Assign your fellow administrators proper roles and delegate the relevant permissions to the correct people and root access should hardly ever be needed. Then it can be difficult by design to get that root access and for example require a trip to the office to get the MFA token from the company safe.

It sounds like your organisation is large enough that you should have already made switch to AWS Organizations: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

Then follow for example the guidelines in:

• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html