Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider Centralising Root Account Access #9502

Open
2 tasks
richgreen-moj opened this issue Mar 7, 2025 · 0 comments
Open
2 tasks

Consider Centralising Root Account Access #9502

richgreen-moj opened this issue Mar 7, 2025 · 0 comments
Labels
needs refining security

Comments

@richgreen-moj
Copy link
Contributor

richgreen-moj commented Mar 7, 2025
edited
Loading

User Story

As a MP Engineer
I want to consider centralising root user access to the AWS Organization account
So that the security of the MoJ organisation is enhanced

Value / Purpose

Beginning March 24, 2025, AWS will require multi-factor authentication (MFA) for the root user of your AWS organization’s member account when accessing the AWS Console.

We don't access root user in MP accounts very often, in fact I think the main use case was for deleting accounts which we now do directly from the root (organisation master) account.

We should consider enabling this setup as best practice.

I'm not sure if this needs any engagement with non-MP accounts as it would affect everyone under the organisation and I'm not sure how those accounts are managed in regard to the root account access.

Context / Background

Email from AWS:

Hello,
Beginning March 24, 2025, AWS will require multi-factor authentication (MFA) for the root user of your AWS organization’s member account when accessing the AWS Console. Enabling MFA provides an additional layer of protection for your account and is available at no extra cost.
We recommend centralizing the root user credentials of AWS accounts managed using AWS Organizations [1]. After centralizing root access, you can choose to delete root user credentials from member accounts, eliminating the need for MFA for these root credentials. If you prefer to retain root credentials, registering MFA is required to enhance security.
Learn more about how this change enhances your security posture by visiting our blog [2].
For information about MFA and how to enable it, visit our guide [3]. If you require further assistance, please contact AWS Support [4].
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
[2] https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/
[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-mfa-for-root.html
[4] https://aws.amazon.com/support
Sincerely,
Amazon Web Services

Also this BLOG post:
https://aws.amazon.com/blogs/aws/centrally-managing-root-access-for-customers-using-aws-organizations/

Useful Contacts

No response

Additional Information

No response

Definition of Done

  • Consider centralising root user access - is it beneficial?
  • If deemed beneficial - DO IT!
@richgreen-moj richgreen-moj changed the title Centralise Root Account Access Consider Centralising Root Account Access Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs refining security
Projects
Modernisation Platform
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
1 participant
@richgreen-moj