Skip to content

Bootstrap AWS Root Account

  1. Log into the AWS Root Account using the root account credentials from 1Password

  2. Enable MFA on Root user credentials

    Use 2 physical security keys

  3. Generate an Access Keypair (https://console.aws.amazon.com/iam/home#/security_credentials)

  4. Launch an AWS CLI Container

    export AWS_ACCESS_KEY_ID="< Access Key ID from step 3 >"
export AWS_SECRET_ACCESS_KEY="< Secret Access Key from step 3 >"
docker \
  run \
  -it \
  --rm \
  --entrypoint /bin/bash \
  --env AWS_DEFAULT_REGION="eu-west-2" \
  --env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
  --env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
  --volume $( pwd ):/workspace \
  --workdir /workspace \
  docker.io/amazon/aws-cli

  5. Validate AWS Identity

    aws sts get-caller-identity
{
    "UserId": "769520176253",
    "Account": "769520176253",
    "Arn": "arn:aws:iam::769520176253:root"
}

  6. Create CloudFormation Stack

    aws \
  cloudformation \
  create-stack \
  --stack-name root-account-bootstrap \
  --template-body file://cloudformation/root-account-bootstrap.yaml \
  --capabilities CAPABILITY_NAMED_IAM

  7. Delete Root Access Keypair (https://console.aws.amazon.com/iam/home#/security_credentials)

Updating

In case you need to perform an update to the root-account-bootstrap, repeat steps 1 to 5 and then

aws \
  cloudformation \
  update-stack \
  --stack-name root-account-bootstrap \
  --template-body file://cloudformation/root-account-bootstrap.yaml \
  --capabilities CAPABILITY_NAMED_IAM