Multi-factor Authentication (MFA) for Root Credentials

Stax MFA policy for Stax-owned and customer-owned AWS accounts.

Article Tags
On This Page
Why Doesn't Stax Enable MFA On All Reseller-Owned Accounts?Customer-Owned AccountsService Control Policy (SCP) restrictionsSee Also

AWS provides the ability to enable Multi-Factor Authentication (MFA) for AWS root user credentials. Stax works with AWS root credentials that have MFA enabled for both reseller-owned and customer-owned accounts. See Account Ownership Models for more information around account ownership within Stax.

Why Doesn't Stax Enable MFA On All Reseller-Owned Accounts?

Stax does not enable MFA for the root user credentials of all reseller-owned accounts. This is because the root credentials are not stored after creation, therefore, MFA cannot be enabled. The root credentials are auto generated by AWS at the time of account creation by leveraging the AWS Organizations API. The only way to obtain the auto generated password is via the AWS Forgotten Password flow, which requires access to the account's root user email address. The root user email address is locked down and protected with strict security controls.

Customer-Owned Accounts

Stax does not enable or manage MFA for the root user credentials of customer-owned accounts, since Stax does not have access to the root user credentials. It is your responsibility to enable and manage MFA for the root user credentials of AWS accounts that you own.

Service Control Policy (SCP) restrictions

Stax limits the ability of root credentials to perform actions on an AWS account by enforcing a mandatory Stax-Protection Service Control Policy (SCP). This SCP is a restrictive policy, attached at the AWS Organization level that limits the actions available to root credentials. There are some actions that cannot be restricted by this SCP, these are listed here.

If you need this SCP lifted, please see the Access AWS Account Root User Credential page for more information.

See Also