As part of the Amazon Web Services (AWS) Service Provider Program (SPP), the root user credentials for the consolidated billing account must be owned by the service provider (in this case, Bytes). The primary reason for this relates to the obligations of the service provider as the bill payer and the mitigation of risks associated with being locked out of the billing account for which they are financially and legally responsible.

Note: This only applies to the root user of the consolidated billing account. The root user details of all customer linked accounts will be completely owned by the customer.

Bytes recognise and are strong advocates of our customers right to own and control access to their environments, resources and data and therefore, in consultation with AWS have agreed a solution that allows Bytes to fulfil their SPP obligations but also allows the customer to retain full control of their environment and meet any auditing standards that may apply:

1. The root user email address and password is owned by Bytes
2. The Multi-Factor Authentication (MFA) token for the root user is owned by the customer
3. The primary contact telephone number for the account is owned by the customer (for use in the reset of the MFA token)

This solution means that Bytes would be unable to access the account as the root user without the express permission and active participation of the customer.

It’s worthwhile noting that, after initial account creation, it is extremely rare to need to access an account using root credentials as almost all tasks can (and should) be carried out using an IAM user. This link (https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root) summarises the tasks that require root access but this list is even shorter in terms of a consolidated billing account because it is usually used primarily for billing administration and some limited shared services and doesn’t host any production workloads.