Transferring AWS Root Account access when MFA is enabled

Question

I have been managing an AWS account for about a year. Typical "best practices" security setup:

• 1 Root Account
• Multiple non-Root accounts, including the one I use on a daily basis
• All accounts using MFA (I personally use the Google Authenticator app)

I would like to now transfer "ownership" of this entire AWS account (Root account & all) to someone else. While I can certainly give them the username + password to login as Root, they will need MFA setup as well.

The only way I can think of handling this is to:

1. Disable MFA on the Root account
2. Give them the logins for the Root account
3. Trust that they will re-enable MFA as soon as possible

Does the AWS web console provide any better solutions? I'm not even sure if its possible to disable MFA on an account (let alone Root) once its set...

Thanks in advance!

Answer 1

To deactivate the MFA device for your AWS account root user (console)

Use your AWS account root user credentials to sign in to the AWS Management Console.

Important

To manage MFA devices for the AWS account, you must sign in to AWS with your AWS account root user credentials. You cannot manage MFA devices for the root user with other credentials.

On the navigation bar, choose your account name, and then choose My Security Credentials. If a prompt appears, choose Continue to Security Credentials.



Expand the Multi-Factor Authentication (MFA) section.

In the row for the MFA device that you want to deactivate, choose Deactivate.

The MFA device is deactivated for the AWS account

Answer 2

As mentioned, it's possible to remove an MFA from an account once it's been added. You also have two options for transferring the root account with MFA enabled:

• If the account is worth the investment, buy and use a hardware MFA. Then transferring the account involves physically transferring the MFA device.
• If you want to keep using a virtual device, remove the MFA from the root account and re-add it. While scanning the QR code with your own Authenticator app, take a screenshot of the QR code and store it securely (ideally, print it on paper and immediately destroy any digital copies), or press "Show secret key for manual configuration" and write down on paper the long seed string. The QR code or seed string can be scanned or entered to seed the same OTP number-stream onto the new owner's Authenticator app. Obviously, be aware that if stolen the same data can be used to seed the same stream by anyone, including an attacker, so keep it secure.

Answer 3

You asked three questions.Let us look on by one

1.Disable MFA on the Root account

To deactivate the MFA device for your AWS account root user (console) follow these steps

1. Sigin to your AWS Account with Root Creds
2. On the right corner of navigation pane you can see the My Security Credentials
3. Select Multi-Factor Authentication
4. Then mark it as Deactivate against your MFA Device

2.Give them the logins for the Root account

For this you follow this AWS documentation which clearly shows How do I transfer my account to another person or business?.For this there is no need of Technical support package, your Basic Support package is enough.

3.Trust that they will re-enable MFA as soon as possible

For this you have to ask them whoever you are transferring the account to enable the MFA. You can also teach them the need of MFA and it's security needs.