AWS management account root user credentials
The AWS management account is the account used to create the AWS organization. It is a payer account and pays all charges accrued by the member accounts (see AWS Organizations terminology and concepts).
DoiT co-owns the root user credentials of the AWS management account (formerly known as Master Payer Account (MPA)) for billing administration. We do not require access to root users of any AWS member accounts.
Why does DoiT hold the AWS management account root user credentials?
DoiT holds the root user credentials of the AWS management account, which is the payer account of the AWS organization, for billing administration.
Amazon requires its partners such as DoiT to use root user credentials of a payer account when communicating with Amazon for billing issues.
In addition, we set the management account root user's email address to a unique DoiT-owned email account. This email is a distribution list, and you can add email addresses owned by your organization to this group. This ensures that you continue to receive all emails sent to the root account.
Our support request system automatically creates and updates requests according to emails sent to that specific address. This allows our Customer Reliability Engineering (CRE) team to share account updates with you, as our customer, through support requests.
Co-ownership of the AWS management account root user credentials
DoiT co-owns the root user credentials with our customers in our new approach to enhance security and transparency. This means that both DoiT and you have access to the root user credentials, providing an additional layer of security and control for you.
How is my team impacted?
DoiT uses the management account root user credentials solely for billing administration.
We provide you with root user access so that you can create an IAM role and manage the access to that account for your company. All access requests to the management account should be handled internally within the company. This aligns with the AWS Best practices to protect your account's root user.
How does DoiT secure and store the management account root user credentials?
DoiT stores the management account root user credentials in a secure vault. Only a specific group of DoiT employees has access to the secure vault. We audit the access and constrain it to performing Tasks that require root user credentials. In case you end the partnership with DoiT, we transfer the ownership of the credentials back to you.
After we update the root user credentials of the AWS management account to a DoiT email address, we deal with the password and enable multi-factor authentication (MFA) on the AWS management account. We also encrypt the new password and vault it using specialized software.
There are two scenarios in which we handle the password:
-
You want to keep your existing password. We will send you a secure one-time link. You can use the link to share the password with us.
-
You want to change your password. We will send you a securely generated password via a one-time link.
In both scenarios, we make sure that the credentials are handled securely.
DoiT operates on the highest level of industry security standards. See DoiT compliance offerings for our certifications and compliance standards.
How does DoiT release management account root user credentials?
As part of our co-ownership policy, customers already have access to the root user credentials. This co-ownership provides an additional layer of security and control for the customer.
There are two additional scenarios:
-
Closure of an account
-
Reverse assumption (customers taking billing ownership of accounts)
If you close an account, the root user credentials lead to a dead end. They do not need to be destroyed by DoiT.
If you terminate management services with DoiT, we follow the reverse assumption process, which includes changing the root user credentials to those defined by you as the customer.
Usage of Root User Credentials
DoiT uses root user credentials sparingly. They are primarily used during onboarding and only when necessary to communicate with AWS for billing issues. For all regular activities, we utilize IAM roles, which align with AWS best practices for account security. This approach ensures that root user credentials are not exposed to unnecessary risks.