| | | | | | --- | --- | --- | --- | * * * [[_TOC_]] * * * **Purpose** ----------- This document describes controls which will be implemented to protect AWS Accounts' Root user.  **Implementation** ------------------ The AWS Root user is accessed by signing in with the email address and password that were used to create an AWS Account. This user is unconstrained by IAM policies. A set of preventative and detective security controls will be deployed to protect AWS Root credentials and prevent deviations from the developed IAM credentials management baseline, which aligns to Well-Architected best practices.  #### **Root user Security Preventative Guardrails** The following security measures will be implemented to properly protect the Root: 1. Root user will only be used for tasks which require Root credentials. The most up to date list of such tasks can be found [here](https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html). 2. Root password will be generated using a random number generator provided by a Secrets Management platform (e.g. LastPass, CyberArk). 3. Root password will be stored in a Secrets Management platform (e.g. LastPass, CyberArk) and will only be accessible by a limited group of people responsible for AWS accounts administration. 4. Hardware MFA (e.g. YubiKey, Gemalto) will be used for the Root credentials of every AWS account to provide for two-factor authentication. 5. Hardware MFA tokens will be stored in a physical safe located at an IT department office accessible by a limited group of people responsible for AWS accounts administration. 6. No access keys will be created for the Root. 7. Account Security Challenge Questions and Answers will be stored in a Secrets Management platform (e.g. LastPass, CyberArk). #### **Root user** **Security Detective Guardrails** 1. Detective controls will be implemented using a combination of AWS Config Rules and AWS CloudWatch Alarms (link to Detective Controls Design artifact). **Ozone implementation** ------------------------ This section applies to Ozone implementations only Ozone implementation has a unique procedure for securing Master account Root. ##### **Master Account Root user Security Preventative Guardrails** The following security measures will be implemented to properly protect the Root by \[Customer\]: 1. Root user will only be used for tasks which require Root credentials. The most up to date list of such tasks can be found [here](https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html). 2. Root password will be generated by \[Customer\] using a random number generator provided by a Secrets Management platform (e.g. LastPass, CyberArk). 3. Root password will be stored in \[Customer\] Secrets Management platform (e.g. LastPass, CyberArk) and will only be accessible by a limited group of people responsible for AWS accounts administration. 4. No access keys will be created for the Root. 5. Account Security Challenge Questions and Answers will be stored in \[Customer\] Secrets Management platform (e.g. LastPass, CyberArk). The following security measures will be implemented to properly protect the Root by Ozone service team: 1. Google Autenticator will be used for the Root credentials of the Master account to provide for two-factor authentication. Ozone team works with customer to initially set the MFA as part of onboarding process. 2. QR code generated by Google Authenticator is deleted from a device which generates it and is stored in a physical safe accessible by a limited group of Ozone service team members responsible for AWS accounts administration. \[Customer\] can go through the [recovery procedure](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html) to gain access to Root to perform actions that require Root credentials. \[Customer\] should notify Ozone by opening a case with Ozone before doing so. **Attachments:**