Skip to main content
Latest Documentation
This is the latest documentation for the Cloud Posse Reference Architecture. To determine which version you're currently using, please see Version Identification.
Sponsor @cloudposse
Version: Latest

Preparing Your AWS Organization

The Cold Start involves more manual steps than other layers. Read through the following steps carefully.

Cold Start

The set up process for the "baseline" or "account" layer is commonly referred to as the Cold Start.

Before Running Terraform (ClickOps)

First, you'll need to perform some ClickOps to ensure things are set up before we use Terraform to manage AWS accounts.

From the root account:

  1. Get Business Class Support

    Enable business support in the root account (in order to expedite requests to raise the AWS member account limits)

  2. Set up MFA on Root Account

    Set up the Virtual MFA device on the root account following the AWS documentation.

    1. Navigate to the root account's security credentials
    2. Set up a Virtual MFA device
    3. Save the MFA TOTP key in 1Password using 1Password's TOTP field and built-in screen scanner to scan the QR code

  3. Create the SuperAdmin IAM User

    Create a SuperAdmin IAM User. This break-glass user is used during cold start bootstrapping before IAM Identity Center is provisioned. After cold start, it should only be used if your IdP is completely unavailable—otherwise, use Permission Sets.

    1. Create the IAM user (do not enable "console login")
    2. Set up MFA for the user
    3. Create a single Access Key
    4. Store credentials in 1Password: Access Key ID, Secret Access Key, Assigned MFA device ARN, and TOTP key

  4. Enable IAM Access for Billing

    For billing users, you need to enable IAM access to billing information.

    1. As the root user, open AWS Billing Account Settings
    2. Scroll to "IAM user and role access to Billing information"
    3. Enable IAM access

  5. Enable Centralized Root Access

    Enable centralized root access management to eliminate the need for per-account root credentials. This allows the management account to perform privileged root operations on member accounts without maintaining separate root passwords or MFA devices.

    1. Navigate to IAM → Root access management
    2. Enable Root credentials management
    3. Enable Privileged root actions

    For more details, see Centralized Root Access.

  6. Enable Regions (Optional)

    The 17 original AWS regions are enabled by default. If you are using a region that is not enabled by default (such as Middle East/Bahrain), you need to enable it in your AWS account settings.

  7. Prepare for Account Quota Increase

    In order to deploy all accounts, you need to request an increase of the Account Quota from AWS support. This requires an AWS Organization to be created first, which we will create with Terraform in the Deploy Accounts guide. This request can take a few days to process, so it's important to get it started early so that it doesn't become a blocker.

    At this time we don't need to request the increase, but we should be prepared to do so as soon as the AWS Organization is created.

Next Steps

Now that your AWS Organization is prepared with MFA, SuperAdmin credentials, and billing access configured, you're ready to initialize the Terraform state backend that will store all infrastructure state. Initialize Terraform Backend