SEC01-BP02 Secure AWS account
There are a number of aspects to securing your AWS accounts, including the securing
of, and not using the root user, and keeping your contact information up-to-date. You can use AWS Organizations
Level of risk exposed if this best practice is not established: High
Implementation guidance
-
Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
-
Limit use of the AWS account root user: Only use the root user to perform tasks that specifically require it.
-
Tasks that require root user credentials in the AWS Account Management Reference Guide
-
-
Enable multi-factor-authentication (MFA) for the root user: Enable MFA on the AWS account root user, if AWS Organizations is not managing the root user for you.
-
Periodically change the root user password: Changing the root user password reduces the risk that a saved password can be used. This is especially important if you are not using AWS Organizations and anyone has physical access.
-
Enable notification when the AWS account root user is used: Being notified automatically reduces risk.
-
Restrict access to newly added Regions: For new AWS Regions, IAM resources, such as users and roles, will only be propagated to the Regions that you enable.
-
Consider AWS CloudFormation StackSets: CloudFormation StackSets can be used to deploy resources including IAM policies, roles, and groups into different AWS accounts and Regions from an approved template.
Resources
Related documents:
Related videos:
Related examples: