undefined | Better HN

0 pointsfrenchtoast85mo ago0 comments

I believe this is a scenario where AWS recommends multiple accounts.

1. Create another "management" AWS account, and make your other AWS account a child to that.

2. Ensure no one ever logs in to the "management" account, as there shouldn't be any business purpose in doing so. For example, you should require a hardware key to log in.

3. Configure the "management" account to force children account to enable AWS Config, AWS CloudTrail, etc. Also force them to duplicate logs to the "management" account.

Step 2 is important. At the end of the day, an organization can always find a way to render their security measures useless.

0 comments

0cf8612b2e1e5mo ago

2) Surely, someone needs access to the account. How do you prevent those with access from using it? Security feels like turtles all the way down where you ultimately have to trust a few people to do the right thing.

zrail5mo ago

The only reason someone would need access to the management account would be maintaining child accounts and IAM roles or reviewing logs, none of which should need root.

j / k navigate · click thread line to collapse