Skip to main content

AWS "Non Root Access" Onboarding

DoiT provides an alternative onboarding approach for customers wishing to retain exclusive root account access to their "Management Account" (formerly known as the "Master Payer Account").

We require temporary access to each AWS Master Payer Account (MPA) root credentials to complete the account onboarding. During the period of temporary access, we store the root account credentials in a secure vault which has limited access to a specific group of DoiT employees. Once onboarding is complete, DoiT assists the customer to reset the root credentials on the root account.

On occasions, DoiT may request temporary supervised access to the root account in order to complete certain tasks. Should such a need arise, we'll contact the designated person on your team.

Onboarding process

Step 1 — Readiness (by Customer)

After signing a contract with DoiT, your customer success manager will provide you with an onboarding process overview and guide you through the readiness phase. Here is how you can prepare:

  1. Identify the management AWS account in your AWS organization (formerly known as Master Payer Account). Ensure that root account access is accessible for the onboarding call.

  2. Under the management account, create a new IAM user with Administrator policy. You'll be using this user to temporarily manage your organization during onboarding when DoiT has sole access to the root credentials.

    You can skip this step if you already have an IAM user with full permissions.

  3. (Optional) Enable CloudTrail logging of root account access during the period of temporary access. See FAQ.

  4. Notify your customer success manager that you are ready to proceed.

Step 2 — Initial Onboarding

This step is performed during a scheduled call between the customer and the DoiT AWS Ops team.

  1. (Customer) Remove MFA from the root account (DoiT will re-enable it in the next step).

  2. (Customer) Change the root email address on the management account to the one provided by DoiT.

    Note

    The new email address will remain post onboarding (see FAQ).

  3. (DoiT) Reset the root password on the Customers AWS MPA account.

  4. (DoiT) Re-enable MFA on the root account.

Step 3 — Account Configuration

This step is performed offline by the DoiT AWS Ops team.

  1. Replace the existing payment method with a DoiT payment method.

  2. Set tax profile to the country matching DoiT's billing profile.

  3. Complete the organization email verification process (necessary because the root email has changed).

  4. Enable Cost and Usage Reports (if not enabled already).

  5. Create a new S3 bucket (doitintl-awsops-{id}) to store the AWS Cost and Usage report.

  6. Set up a new Cost and Usage report (doitintl-awsops-{id})). If your account already has a compatible CUR report, we'll use that pre-configured report to save on S3 costs.

  7. Create doitintl_cmp IAM role to facilitate access from the DoiT Platform.

  8. Create DoiT-SSO-Strategic and DoiT-SSO-Billing-and-Support roles.

  9. Onboard the organization to SPP using AWS Channel Management dashboard.

Step 4 — Transfer Root Account to Customer

This step is performed during a scheduled call with the customer.

  1. (DoiT) Remove MFA from the root account (Customer to re-enable in the tasks below).

  2. (DoiT) Provide the current root password to Customer (via our one-time sharing facility).

  3. (Customer) Reset the root password on the Customers AWS MPA account.

  4. (Customer) Re-enable MFA on the root account.

  5. (DoiT) Verify that DoiTs root account access has been removed.

FAQ

Why do you require the root credentials for onboarding?

We require temporary access in order to carry out configuration to the billing account; such as configuring payment methods, implementing cost & usage reports and integrating with our DoiT Platform.

How does DoiT International secure and store root credentials?

After we update the credentials for the root user of the AWS account to a DoiT-provided email address, we generate a new strong password and enable multi-factor authentication for the AWS account. We encrypt the new password and vault it by using specialized software. Both DoiT and the secret management software have SOC 2 Type II and ISO27001 certifications.

Why does the root account need to use a @doit-intl.com email address?

This is required by the AWS Solution Provider Program for DoiT (as the channel partner) to link the Customer as a managed account. It doesn't limit your use of root credentials.

Is our AWS access impacted during the temporary transfer of root credentials?

Once your users have suitable IAM access, there will be no impact during the temporary transfer.

How long does DoiT require the temporary access?

Typically it takes 24–72 hours to complete the account onboarding process. We will schedule DoiT resources to ensure that the onboarding process completes as quickly as possible!

How does DoiT return the root access?

Once onboarding is complete, DoiT will organize a call with the customer and the root user credentials will be reset.

The root user email shall remain as the @doit-intl.com for DoiT to carry out our contractual obligations to you.

Can you share the IAM policies for the roles on the management account?

Absolutely! You can find the policy for DoiT Platform role doitintl_cmp at this gist.

What is the DoiT-SSO-Strategic role? Who uses it, and when?

The DoiT-SSO-Strategic role grants the Strategic Account Managers (SAM) access to review customer usage, purchase a Savings Plan following a customer request, and issue support requests when needed. This role is also used by DoiT's billing automation for invoice collection purposes.

The DoiT-SSO-Strategic role has the following AWS-managed policies:

  • arn:aws:iam::aws:policy/job-function/SupportUser

  • arn:aws:iam::aws:policy/job-function/Billing

  • arn:aws:iam::aws:policy/AWSSupportAccess

  • arn:aws:iam::aws:policy/AWSSavingsPlansFullAccess

Inline IAM Policy is included in this gist.

What is the DoiT-SSO-Billing-and-Support role? Who uses it, and when?

DoiT Customer Reliability Engineering (CRE) team uses the DoiT-SSO-Billing-and-Support role to perform the following actions when supporting customer requests:

  • Submit AWS support requests on behalf of the customer.

  • Review cost and usage data.

  • Review organization settings.

The DoiT-SSO-Billing-and-Support role has the following AWS-managed policies:

  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

  • arn:aws:iam::aws:policy/AWSSupportAccess

  • arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess

Can DoiT reset the root credentials & MFA if the billing account is @doit-intl.com?

It is possible that we could raise a support request with AWS to remove the MFA, in order to regain access to the account. However, this is only carried out in specific scenarios such as the Customers MFA device has been lost or in the event that DoiT needs to off board the Customers Account due to default of payments as per contract terms.

We recommend enabling CloudTrail logging of all activities for the root user account so you can be alerted of suspicious activities. There are several approaches for account monitoring, which our CRE Team will be happy to assist with implementing!

Will DoiT require root access on an ongoing basis?

We don't require permanent access. However, there are occasions when root access is required, for example, Opening a billing case with AWS Support, or adjusting payment methods. In such cases, we will contact you to request temporary supervised access.

How can I get emails sent to my root account if it's under @doit-intl.com domain?

We set up a special group on our side that can include contacts from your own organization. You'll be notified when an email is sent to the email address of the root account.

Additional questions?

No problem! Please reach out to your Account Team who will be more than happy to help.

Last updated on