Tackling MFA for AWS Organization Member Accounts


  • strong passwords
  • assigned to group email addresses (routed to Security Team)
  • Virtual MFA assigned
  • with all sensitive details secured in relation to their data classification and CIA requirements. (more on this below)


  • 1Password/KeePass/BitWarden or another password management system where you have access to the password DB/vault. Cloud hosted Password Management is an option, however not recommended for this data classification.
  • Multiple (at least 4) secure, waterproof, shockproof etc USB drives
  • A Virtual MFA tool, Authy etc.
  • RBAC NTFS/OneDrive etc storage
  • Secure physical storage, safe, bank vault, offsite secure server room etc
  • Access to a printer

Threat Modelling

  • Access to the password vault, or
  • Access to the MFA virtual seeds
  • segregated (priority)
  • protected
  • secure


| Account # | Account Name | Account Email | MFA Seed | --------------------------------------------------
12345678 | lz_log_archive | security+lz_log_archive@mydomain.com | 098789287597453
87654321 | lz_security | security+lz_security@mydomain.com | 6544646465498744

Wrapping up, securing and segregating.

  • Password Vault — stored securely on a RBAC NTFS/One Drive etc and USB. Also the KeePass safety sheet — PDF on the same USB and printed copies in case of USB corruption
  • .txt with MFA Seeds — Stored on a 2nd USB key and printed in case of USB corruption

Help! I need to login as root..

  • retrieve password from the vault above
  • retrieve the associated virtual MFA seed from a secured USB drive. Fire up Authy, re-add the token. Delete after use.


- Change your account settings.This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and Regions, do not require root user credentials.- View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc or Amazon Internet Services Pvt. Ltd (AISPL).- Close your AWS account.- Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.- Change your AWS Support plan or Cancel your AWS Support plan. - Register as a seller in the Reserved Instance Marketplace.- Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.- Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID.- Sign up for GovCloud.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store