Detections
Analytics
2.1.3 Ensure Organizations management account is not used for workloads
Information
Ensure that the AWS Organizations management account is used only for organizational governance tasks and does not host production workloads, applications, or business data. The management account is the most privileged account in an AWS Organization and performs sensitive administrative functions such as creating and managing member accounts, applying service control policies (SCPs), and managing consolidated billing. Workloads, applications, and associated data should be deployed in dedicated member accounts, not in the management account.The management account has unique privileges that cannot be restricted by SCPs, making it the highest-risk account in an organization. Deploying workloads or storing business data in the management account increases the attack surface and blast radius of a compromise. If a workload vulnerability or misconfiguration occurs in the management account, it could grant attackers access to organization-wide administrative capabilities.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
-Inventory all workload resources currently in the management account (compute, storage, databases, application services).
-
For each class of workload resource (for example, production, non-production, shared services), create or confirm dedicated member accounts within the organization and place them into the appropriate OUs.
-
For each workload resource, design a migration plan to the appropriate member account.
- Execute the migrations in phases, starting with lower-risk environments (for example, development/test) before production.
-
Review and adjust IAM roles and permissions in the management account so that only personnel responsible for organization governance and security have access
-
Update architecture diagrams, runbooks, and onboarding processes to state that new workloads must be deployed only into designated workload accounts, not the management account.
Impact:
Restricting the management account to governance-only use may require creating new member accounts, redesigning existing account boundaries, and migrating workloads and data out of the management account. This can introduce short-term complexity and operational overhead. However, it reduces the blast radius of a compromise, simplifies security controls in the most privileged account, and aligns the environment with AWS multi-account and workload-isolation best practices.
See Also
Item Details
Audit Name: CIS Amazon Web Services Foundations v7.0.0 L2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-4
Plugin: amazon_aws
Control ID: 14bbc03be1237e46f77f546a38b820c8aad305a0efc6d27746f5a8e28c041df2