Multi-Factor Authentication for Root User Credentials
See Centralized root access for member accounts for details on securing the root user credentials of your member accounts.
AWS provides the ability to enable multi-factor authentication (MFA) for AWS root user credentials. Stax works with AWS root credentials that have MFA enabled for both reseller-owned and customer-owned accounts. See Account Ownership Models for more information around account ownership within Stax.
Customer-owned management accounts and member accounts
Stax does not enable or manage MFA for the root user credentials of customer-owned accounts, since Stax does not have access to the root user credentials. It is your responsibility to enable and manage MFA for the root user credentials of AWS accounts that you own.
Reseller-owned management accounts
Stax manages MFA for root user credentials of reseller-owned management accounts.
Service Control Policy (SCP) Restrictions
Stax limits the ability of root credentials to perform actions on an AWS account by enforcing a mandatory Stax-Protection Service Control Policy (SCP). This SCP is a restrictive policy, attached at the AWS Organization level that limits the actions available to root credentials. There are some actions that cannot be restricted by this SCP, these are listed here.
If you need this SCP lifted, please see Access AWS Account Root User Credentials for more information.