Multi-factor Authentication (MFA) for Root Credentials

Stax MFA policy for Stax-owned and customer-owned AWS accounts

Article Tags
On This Page
Stax MFA PolicyStax-Owned AccountsCustomer-Owned AccountsService Control Policy (SCP) restrictions

Stax MFA Policy

AWS provides the ability to enable Multi-Factor Authentication (MFA) for AWS root credentials. Stax works with AWS root credentials that have MFA enabled for both Stax-owned and customer-owned accounts.

Stax-Owned Accounts

A Stax-owned account is a customer AWS account that uses a Stax-managed domain as the root email address. Stax enables and manages Multi-Factor Authentication (MFA) for the root credentials of all customer AWS Organization Master accounts that are owned by Stax. Stax does not enable or manage MFA for root credentials of any other Stax-owned customer account.

Why don’t we enable MFA on all Stax-owned accounts?

Stax does not enable MFA for the root credentials of all Stax-owned accounts because the root credentials are not stored after creation. Therefore, MFA cannot be enabled. The root credentials are auto generated by AWS at the time of account creation by leveraging the AWS Organizations API. The only way to obtain the auto generated password is via the AWS Forgotten Password flow, which requires access to the root email address. The root email address is locked down and protected with strict security controls.

Customer-Owned Accounts

A customer-owned account is an AWS account that uses the your email domain as the root credential's email address. Stax does not enable or manage MFA for the root credentials of customer-owned accounts, since Stax does not have access to the root credentials. It is your responsibility to enable and manage MFA for the root credentials of AWS Accounts that you own.

Service Control Policy (SCP) restrictions

Stax limits the ability of root credentials to perform actions on an AWS account by enforcing a mandatory Stax-Protection Service Control Policy (SCP). This SCP is a restrictive policy, attached at the AWS Organization level that limits the actions available to root credentials. There are some actions that cannot be restricted by this SCP, these are listed here.

If you need this SCP lifted, please see the Access AWS Account Root User Credential page for more information.