{
	"id": "ced3b6de-e7d3-4655-b99e-cfbcaebd899b",
	"created_at": "2026-04-06T00:18:53.676208Z",
	"updated_at": "2026-04-10T03:22:00.605971Z",
	"deleted_at": null,
	"sha1_hash": "1e07e7ad690ccb9c483ce723b6403974424e2a7a",
	"title": "Best practices for the management account",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46329,
	"plain_text": "Best practices for the management account\r\nArchived: 2026-04-02 10:40:48 UTC\r\nFollow these recommendations to help protect the security of the management account in AWS Organizations.\r\nThese recommendations assume that you also adhere to the best practice of using the root user only for those tasks\r\nthat truly require it.\r\nTopics\r\nLimit who has access to the management account\r\nReview and track who has access\r\nUse the management account only for tasks that require the management account\r\nAvoid deploying workloads to the organization’s management account\r\nDelegate responsibilities outside the management account for decentralization\r\nLimit who has access to the management account\r\nThe management account is key to all the mentioned administrative tasks such as account management, policies,\r\nintegration with other AWS services, consolidated billing, and so on. Therefore, you should restrict and limit\r\naccess to the management account only to those admin users who need rights to make changes to the organization.\r\nReview and track who has access\r\nTo make sure that you maintain access to the management account, periodically review the personnel within your\r\nbusiness who have access to the email address, password, MFA, and phone number associated with it. Align your\r\nreview with existing business procedures. Add a monthly or quarterly review of this information to verify that\r\nonly the correct people have access. Ensure that the process to recover or reset access to the root user credentials\r\nis not reliant on any specific individual to complete. All processes should address the prospect of people being\r\nunavailable.\r\nUse the management account only for tasks that require the management account\r\nWe recommend that you use the management account and its users and roles for tasks that must be performed only\r\nby that account. Store all of your AWS resources in other AWS accounts in the organization and keep them out of\r\nthe management account. One important reason to keep your resources in other accounts is because Organizations\r\nservice control policies (SCPs) do not work to restrict any users or roles in the management account. Separating\r\nyour resources from your management account also helps you to understand the charges on your invoices.\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html\r\nPage 1 of 2\n\nFor a list of tasks that must be called from the management account, see Operations you can call from only the\r\norganization's management account .\r\nAvoid deploying workloads to the organization’s management account\r\nPrivileged operations can be performed within an organization’s management account, and SCPs do not apply to\r\nthe management account. That's why you should limit the cloud resources and data contained in the management\r\naccount to only those that must be managed in the management account.\r\nDelegate responsibilities outside the management account for decentralization\r\nWhere possible, we recommend delegating responsibilities and services outside the management account. Provide\r\nyour teams with permissions in their own accounts to manage the needs of the organization, without requiring\r\naccess to the management account. In addition, you can register multiple delegated administrators for services that\r\nsupport this functionality such as AWS Service Catalog for sharing software across the organization, or\r\nCloudFormation StackSets for authoring and deploying stacks.\r\nFor more information, see Security Reference Architecture, Organizing Your AWS Environment Using Multiple\r\nAccounts, and AWS services that you can use with AWS Organizations for suggestions on registering member\r\naccounts as delegated administrator for various AWS services.\r\nFor more information about setting up delegated admins, see Enabling a delegated admin account for AWS\r\nAccount Management and Delegated administrator for AWS Organizations.\r\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html"
	],
	"report_names": [
		"orgs_best-practices_mgmt-acct.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434733,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e07e7ad690ccb9c483ce723b6403974424e2a7a.pdf",
		"text": "https://archive.orkl.eu/1e07e7ad690ccb9c483ce723b6403974424e2a7a.txt",
		"img": "https://archive.orkl.eu/1e07e7ad690ccb9c483ce723b6403974424e2a7a.jpg"
	}
}