Skip to main content

Management Account

AWS Account for Management

If you intend to deploy AWS Landing Zone using an existing AWS account with a significant number of resources that would require substantial effort to clean up, we recommend creating a new account to begin with. Later, you can add the old account to AWS organizations.

Lockdown the Management Account

Locking down the AWS management account is essential to protect sensitive data and prevent unauthorized access to an organization's AWS resources. The management account is a critical component of AWS infrastructure and controls access to all other accounts and resources.

caution

When configuring MFA, please ensure that your computer or phone is kept safe and secure to prevent unauthorized access.

  1. First, let’s rename the account as <orgslug>-main
  2. Activate MFA on the root login by following the steps on (Link).
  3. Add one or more MFA devices to make sure you're not locked out of the account if you loose the primary device.
  4. Enable billing access to IAM usersby following the steps on (Link).

Enable Cost Explorer

  1. Go to Billing and Cost Management console and open Cost Explorer.
  2. On the Welcome to Cost Explorer page, choose Launch Cost Explorer.

When Cost Explorer is available after 24 hours, select Daily in the Granularity drop down on right sidebar. This will enable resource level monitoring in daily granularity.

Enable Cost Optimization Hub

  1. Go to Billing and Cost Management console and open Cost Optimization Hub.
  2. Make sure "Enable Cost Optimization Hub for this account and all member accounts" is selected and click Enable.
  3. Go to AWS Compute Optimizer console and select Get started.
  4. Make sure "All member accounts of this organization" is selected and click on Opt in.