2

I have been managing an AWS account for about a year. Typical "best practices" security setup:

  • 1 Root Account
  • Multiple non-Root accounts, including the one I use on a daily basis
  • All accounts using MFA (I personally use the Google Authenticator app)

I would like to now transfer "ownership" of this entire AWS account (Root account & all) to someone else. While I can certainly give them the username + password to login as Root, they will need MFA setup as well.

The only way I can think of handling this is to:

  1. Disable MFA on the Root account
  2. Give them the logins for the Root account
  3. Trust that they will re-enable MFA as soon as possible

Does the AWS web console provide any better solutions? I'm not even sure if its possible to disable MFA on an account (let alone Root) once its set...

Thanks in advance!

hotmeatballsoup
  • 385
  • 6
  • 58
  • 136
  • Do you have a TAMS you could ask about this? I'm sure they would be the best resource to answer this. – Matt Runion Sep 14 '18 at 15:58
  • Thanks @mrunion but no, this is a free/basic account without any paid AWS support. I figured this type of thing would be pretty common/straight-forward though... – hotmeatballsoup Sep 14 '18 at 16:42
  • 1
    If you are transferring ownership why do you care if they enable MFA? Make sure that you are also changing the names on the AWS account otherwise you are still liable no matter who has root access. If your goal is to just give root access, don't. Create an IAM user with the required permissions and require the user to enable MFA. – John Hanley Sep 14 '18 at 23:49
  • Thanks @JohnHanley, a few followup questions for you, if you don't mind. **(1)** "*If you are transferring ownership why do you care if they enable MFA?*" **Answer: I don't.** I am transferring ownership and I just want to make sure they can log in as the root without needing my MFA-enabled device (my phone running Google Authenticator) in front of them. Can you kindly confirm that there is a way to disable MFA on root accounts? That way I can just give them the root creds and...*sayonara!* – hotmeatballsoup Sep 20 '18 at 19:42
  • Also **(2)** "*Make sure that you are also changing the names on the AWS account...* any chance you can be more specific? Which names are you referring to and through which screens/services/console areas are you referring? Thanks again for any-and-all-insight! – hotmeatballsoup Sep 20 '18 at 19:42
  • Q1) Because you asked "Trust that they will re-enable MFA as soon as possible". Q2) Login to the AWS Console. Go to My Account. Look at each tab in the left. Contact Information, Alternate Contacts, Billing information, Payment Methods, etc all need to be changed / removed. Kathan Tripathi has provided an answer on disabling MFA. – John Hanley Sep 20 '18 at 21:31

3 Answers3

3

To deactivate the MFA device for your AWS account root user (console)

Use your AWS account root user credentials to sign in to the AWS Management Console.

Important

To manage MFA devices for the AWS account, you must sign in to AWS with your AWS account root user credentials. You cannot manage MFA devices for the root user with other credentials.

On the navigation bar, choose your account name, and then choose My Security Credentials. If a prompt appears, choose Continue to Security Credentials.

Expand the Multi-Factor Authentication (MFA) section.

In the row for the MFA device that you want to deactivate, choose Deactivate.

The MFA device is deactivated for the AWS account

Kathan Tripathi
  • 189
  • 4
2

You asked three questions.Let us look on by one

1.Disable MFA on the Root account

To deactivate the MFA device for your AWS account root user (console) follow these steps

  1. Sigin to your AWS Account with Root Creds
  2. On the right corner of navigation pane you can see the My Security Credentials enter image description here
  3. Select Multi-Factor Authentication
  4. Then mark it as Deactivate against your MFA Device

2.Give them the logins for the Root account

For this you follow this AWS documentation which clearly shows How do I transfer my account to another person or business?.For this there is no need of Technical support package, your Basic Support package is enough.

3.Trust that they will re-enable MFA as soon as possible

For this you have to ask them whoever you are transferring the account to enable the MFA. You can also teach them the need of MFA and it's security needs.

Vaisakh PS
  • 1,181
  • 2
  • 10
  • 19
0

As mentioned, it's possible to remove an MFA from an account once it's been added. You also have two options for transferring the root account with MFA enabled:

  • If the account is worth the investment, buy and use a hardware MFA. Then transferring the account involves physically transferring the MFA device.
  • If you want to keep using a virtual device, remove the MFA from the root account and re-add it. While scanning the QR code with your own Authenticator app, take a screenshot of the QR code and store it securely (ideally, print it on paper and immediately destroy any digital copies), or press "Show secret key for manual configuration" and write down on paper the long seed string. The QR code or seed string can be scanned or entered to seed the same OTP number-stream onto the new owner's Authenticator app. Obviously, be aware that if stolen the same data can be used to seed the same stream by anyone, including an attacker, so keep it secure.
Stephen
  • 1,657
  • 13
  • 10