AWS management account root user credentials
The AWS management account is the account used to create the AWS organization. It is a payer account and pays all charges accrued by the member accounts (see AWS Organizations terminology and concepts).
​
Dcode.tech co-owns the root user credentials of the AWS management account (formerly known as Master Payer Account (MPA)) for billing administration. We do not require access to root users of any AWS member accounts.
1
Why does Dcode.tech hold the AWS management account root user credentials?
-
Dcode.tech holds the root user credentials of the AWS management account, which is the payer account of the AWS organization, for billing administration.
-
​
-
Amazon requires its partners such as Dcode.tech to use root user credentials of a payer account when communicating with Amazon for billing issues.
-
​
-
In addition, we set the management account root user's email address to a unique Dcode.tech-owned email account. This email is a distribution list, and you can add email addresses owned by your organization to this group. This ensures that you continue to receive all emails sent to the root account.
-
​
-
Our ticketing system automatically creates and updates tickets according to emails sent to that specific address. This allows our Customer Reliability Engineering (CRE) team to share account updates with you, as our customer, through support tickets.
2
Co-ownership of the AWS management account root user credentials
-
Dcode.tech co-owns the root user credentials with our customers in our new approach to enhance security and transparency.
-
This means that both Dcode.tech and you have access to the root user credentials, providing an additional layer of security and control for you.
3
How is my team impacted?
Dcode.tech uses the management account root user credentials solely for billing administration.
​
We provide you with root user access so that you can create an IAM role and manage the access to that account for your company.
All access requests to the management account should be handled internally within the company.
This aligns with the AWS Best practices to protect your account's root user.
4
How does DoiT secure and store the management account root user credentials?
Docode.tech stores the management account root user credentials in a secure vault. Only a specific group of Dcode.tech employees has access to the secure vault. We audit the access and constrain it to performing Tasks that require root user credentials. In case you end the partnership with Dcode.tech, we transfer the ownership of the credentials back to you.
​
After we update the root user credentials of the AWS management account to a Dcode.tech email address, we deal with the password and enable multi-factor authentication (MFA) on the AWS management account. We also encrypt the new password and vault it using specialized software.
​
There are two scenarios in which we handle the password:
​
-
You want to keep your existing password. We will send you a secure one-time link. You can use the link to share the password with us.
-
You want to change your password. We will send you a securely generated password via a one-time link.
In both scenarios, we make sure that the credentials are handled securely.
Dcode.tech operates on the highest level of industry security standards.
5
How does Dcode.tech release management account root user credentials?
As part of our co-ownership policy, customers already have access to the root user credentials. This co-ownership provides an additional layer of security and control for the customer.
There are two additional scenarios:
-
Closure of an account
-
Reverse assumption (customers taking billing ownership of accounts)
If you close an account, the root user credentials lead to a dead end. They do not need to be destroyed by Dcode.tech.
If you terminate management services with Dcode.tech, we follow the reverse assumption process, which includes changing the root user credentials to those defined by you as the customer.
6
Usage of Root User Credentials
Dcode.tech uses root user credentials sparingly. They are primarily used during onboarding and only when necessary to communicate with AWS for billing issues. For all regular activities, we utilize IAM roles, which align with AWS best practices for account security. This approach ensures that root user credentials are not exposed to unnecessary risks.
Get in Touch
This is a Paragraph. Click on "Edit Text" or double click on the text box to start editing the content.