Skip to main content

AWS management account root user credentials

The AWS management account is the account used to create the AWS organization. It is a payer account and pays all charges accrued by the member accounts (see AWS Organizations terminology and concepts).

DoiT requires access to the root user credentials of the AWS management account (formerly known as Master Payer Account (MPA)) for billing administration. We do not require access to root users of any AWS member accounts.

Why does DoiT hold the AWS management account root user credentials?

DoiT holds the root user credentials of the AWS management account, which is the payer account of the AWS organization, for billing administration.

Amazon requires its partners such as DoiT to use root user credentials of a payer account when communicating with Amazon for billing issues.

In addition, we set the management account root user's email address to a unique DoiT-owned email account. Tickets are automatically created and updated in our ticketing system according to emails sent to that specific address. This allows our Customer Reliability Engineering (CRE) team to share account updates with you, as our customer, through support tickets.

How is my team impacted?

DoiT uses the management account root user credentials solely for billing administration.

We provide an IAM administrator role for you to perform daily admin tasks and access AWS resources. This is in line with the AWS Best practices to protect your account's root user.

In case you need to perform Tasks that require root user credentials, please open a support ticket to request DoiT to carry out the tasks.

How does DoiT secure and store the management account root user credentials?

DoiT stores the management account root user credentials in a secure vault. Only a specific group of DoiT employees has access to the secure vault. We audit the access and constrain it to performing Tasks that require root user credentials. In case you end the partnership with DoiT, we transfer the ownership of the credentials back to you.

After we update the root user credentials of the AWS management account to a DoiT email address, we generate a new strong password and enable multi-factor authentication (MFA) on the AWS management account. We encrypt the new password and vault it using specialized software.

DoiT operates on the highest level of industry security standards. See DoiT compliance offerings for our certifications and compliance standards.

How does DoiT release management account root user credentials?

There are two scenarios:

  • Closure of an account

  • Reverse assumption (customers taking billing ownership of accounts)

If you close an account, the root user credentials lead to a dead end. They do not need to be destroyed by DoiT.

If you terminate management services with DoiT, we follow the reverse assumption process, which includes changing the root user credentials to those defined by you as the customer.