Best Practice for MFA on Root AWS Accounts

All we need is an easy explanation of the problem, so here it is.

I would like to enable multi-factor authentication on my organization’s AWS root account, however I’m unsure of the best practices on how to do so.

We already have separate IAM accounts for each person needing access; most every account is extremely limited in permissions but several of us have full administrator access via IAM. Requiring MFA for each user’s IAM account is easy since they can all setup Google Authenticator or Authy on their personal devices. However doing the same thing to the root account seems unwise, since it would limit access to a single person (which isn’t very bus-proof). A couple ideas I’ve had are:

  1. Enable MFA and have 2–3 admins scan the QR code (for the root account) at the same time.
  2. Create a shared Authy account containing for this purpose and record the password somewhere secure that an admin can access it if needed.

Is there a best practice for doing this or another option I’m missing?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Another option I’ve used is to sync a hardware token (like the ones RSA will sell you) to the account, then put the token in a company safe. As long as you keep the physical security of the safe tight, the token is protected. It will be annoying to go through the process of getting the token out of the safe (there should be only a few people who have access to it, and a process for opening it), but that’s ok because you aren’t using the root account regularly, just for emergency recovery purposes.

Method 2

Here’s how I wrote up a solution to this:

The Vault product from HahsiCorp allows you to log all access to any credential, and it supports TOTP hashes in such a way that it’ll permit you to read the current value but not the secret key. To use root access, get the current token from Vault.

To ensure that you don’t lose access, make good backups. To ensure that your backups aren’t compromised, split the master decryption against the appropriate number of individuals in your organization and encrypt that to PGP keys on hardware token.

In this way as long as a Vault instance is running, any authorized person can use the root credentials and you’ll know who did. Actually getting the root MFA secret would require collusion among multiple people.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

Leave a Reply