What is an additional way to secure the AWS accounts of both the root account and new users?

Recommended textbook solutions

Computer Organization and Design MIPS Edition: The Hardware/Software Interface

5th EditionDavid A. Patterson, John L. Hennessy

220 solutions

Service Management: Operations, Strategy, and Information Technology

7th EditionJames Fitzsimmons, Mona Fitzsimmons

103 solutions

Introduction to Algorithms

3rd EditionCharles E. Leiserson, Clifford Stein, Ronald L. Rivest, Thomas H. Cormen

720 solutions

Starting Out with C++ from Control Structures to Objects

8th EditionGodfrey Muganda, Judy Walters, Tony Gaddis

1,294 solutions

When you create an account in your organization, in addition to the root user, AWS Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. We refer to the role in this guide by the default name. AWS Organizations doesn't create any other IAM users, groups, or other roles. To access the accounts in your organization, you must use one of the following methods:

• The account has a root user that you can use to sign in. We recommend that you use the root user only to create IAM users, groups, and roles and then always sign in with one of those. See Accessing a member account as the root user.

• If you create an account by using the tools provided as part of AWS Organizations, you can access the account by using the preconfigured role named OrganizationAccountAccessRole that exists in all new accounts that you create this way. See Accessing a member account that has a management account access role.

• If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with AWS Organizations. To create this role, see Creating the OrganizationAccountAccessRole in an invited member account. After you create the role, you can access it using the steps in Accessing a member account that has a management account access role.

• Use AWS IAM Identity Center (successor to AWS Single Sign-On) and enable trusted access for IAM Identity Center with AWS Organizations. This allows users to sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.

  For more information, see Multi-account permissions in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide. For information about setting up trusted access for IAM Identity Center, see AWS IAM Identity Center (successor to AWS Single Sign-On) and AWS Organizations.

To access an AWS account from any other account in your organization, you must have the following permission:

• sts:AssumeRole – The Resource element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account

Accessing a member account as the root user

When you create a new account, AWS Organizations initially assigns a password to the root user that is a minimum of 64 characters long. All characters are randomly generated with no guarantees on the appearance of certain character sets. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery.

• As a best practice, we recommend that you don't use the root user to access your account except to create other users and roles with more limited permissions. Then sign in as one of those users or roles.

• We also recommend that you set multi-factor authentication (MFA) on the root user. Reset the password, and assign an MFA device to the root user.

• If you created a member account in an organization with an incorrect email address, you can’t sign in to the account as the root user. Contact AWS Billing and Support for assistance.

Creating the OrganizationAccountAccessRole in an invited member account

By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. By default, that role is named OrganizationAccountAccessRole. For more information, see Accessing a member account that has a management account access role.

However, member accounts that you invite to join your organization do not automatically get an administrator role created. You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.

The users who are members of the selected group now can use the URLs that you captured in step 9 to access each member account's role. They can access these member accounts the same way as they would if accessing an account that you create in the organization. For more information about using the role to administer a member account, see Accessing a member account that has a management account access role.

Accessing a member account that has a management account access role

When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role named OrganizationAccountAccessRole in the account. This role has full administrative permissions in the member account. The scope of access for this role includes all principals in the management account, such that the role is configured to grant that access to the organization's management account. You can create an identical role for an invited member account by following the steps in Creating the OrganizationAccountAccessRole in an invited member account. To use this role to access the member account, you must sign in as a user from the management account that has permissions to assume the role. To configure these permissions, perform the following procedure. We recommend that you grant permissions to groups instead of users for ease of maintenance.

IAM users that are members of the group now have permissions to switch to the new role in the AWS Organizations console by using the following procedure.

Additional resources

• For more information about granting permissions to switch roles, see Granting a User Permissions to Switch Roles in the IAM User Guide.

• For more information about using a role that you have been granted permissions to assume, see Switching to a Role (AWS Management Console) in the IAM User Guide.

• For a tutorial about using roles for cross-account access, see Tutorial: Delegate Access Across AWS accounts Using IAM Roles in the IAM User Guide.

• For information about closing AWS accounts, see Closing an AWS account.

What is an additional way to secure the AWS accounts of both the root account and new users alike?

What methods can you use to secure the AWS root account?

What are the most secure ways to protect the AWS account root user of a recently opened AWS account?

How do you secure AWS account?