[jackson1442]

@aws, why not mandate MFA for a root user? in child org accounts where this is less feasible, you could allow access to the root user only from the parent account, no direct login at all.

[staticassertion]

One option is to set your root user's password to some random 64 character string and forget it. Any time you want root access (rare) you go through a reset flow, which means your root auth is tied to your email. Something like GMail has pretty strict controls so this is actually imo the safest option available.

[jackson1442]

While this may be safest, it doesn’t make sense why Amazon doesn’t save themselves a couple (hundred) grand in refunds by locking down root accounts.

[joombaga]

You can keep the password unset as well.

[oneplane]

You can create rootless organisation-managed child accounts. This is a solved problem.

[andrewguenther]

Organization child accounts are not rootless, they're just seeded with a random password

[oneplane]

Sure 'technically' you could call support and have them setup an email address for the root account and then it wouldn't be rootless anymore.

But if you setup your child account with something that cannot resolve as an email address it is no longer a working root account and won't be until you contact AWS support. You cannot change the email address setting yourself either, you cannot login and you cannot 'assume' root either (as if it were an IAM user). So in essence: no root access for anyone.

Then you add an SCP to deny support access from that account (or the entire OU or all org child accounts) and it can't self-contact AWS support either for good measure.

[smackeyacky]

You just reminded me to set up MFA on my root account so thanks!