How to set up email addresses for AWS Control Tower

Category: Cloud Platform

February 22, 2022 by Andre Verheij

When setting up AWS Control Tower, Control Tower will want to create several new AWS accounts for various purposes. Each AWS account will need to have it’s own email address. This email address is the “root” username for the AWS account.

The address needs to be unique, and can't be used by anyone else. It’s also best practice to not use a personal email address for this account. If nobody has access to this email account, you will never be able to reset or get access to the AWS account.

Control Tower creates a few accounts: Audit, Logging, Management and then you can have your own accounts for example Dev and Prod. For these accounts you need a few email addresses:

  • orgname@example.com
  • orgname-audit@example.com
  • orgname-logging@example.com
  • orgname-devaccount@example.com
  • orgname-prodaccount@example.com

Cplatform1 SSO List

how do we setup these addresses?

Depending on the type of email system you (or your company) is using, there are few ways to achieve this.

Of course, you can create multiple email accounts in your email system, but then you have multiple accounts to check for emails etc. You might also have to pay for each mailbox, so that turn out being costly as well. It’s better if you create a group where multiple addresses end up. Some systems call it a distribution list, some a group. You could also create a single "shared mailbox", a mailbox you then pay for. Perhaps called “orgname@example.com” and then add the multiple aliases to this mailbox

  • orgname-audit@example.com
  • orgname-logging@example.com
  • orgname-devaccount@example.com
  • orgname-prodaccount@example.com

This group can then have multiple members that all receive these emails in their mailboxes. Each user can then setup rules in their mailbox to do something with them.

In Google Apps for Business

Google Workspace Admin

  • In your Google Admin console (at admin.google.com)...
  • Go to * Groups *.
  • Click the name of a group.
  • In the Group information section, click * Aliases .
  • Point to the Aliases section and click Edit .
  • To add an alias:
  • Click Add Alias.

In Microsoft 365 (Office365)

Office 365 Admin Panel

  • go to the admin panel
  • On the left, click * Show All * and then * Exchange *
  • In the Exchange Admin go to Recipients and then Groups
  • Double click the group. Or create a new distribution list
  • Click Email Options
  • Click the + and add the additional email.

And in non-google and non-office365 systems:

There are many other systems to manage email accounts, the essence will be the same.

Using "Plus Addressing"

In some systems like Gmail (works by default) and Microsoft365 (needs some setup), it’s possible to use a + in the email address which means you could use orgname+audit@example.com but this only works for individual mailboxes. Which means you get back to the original problem where it’s linked to a person's mailbox. So better use the distribution list / group.

(for Microsoft365 users, here is a web page that describes how to enable "Plus Addressing"

When do I use these email adresses?

In general day to day use, you don't use them. the only reason why you need to login with the email addresses is if you want to close the AWS account. AWS have a page that shows what the root user is needed for: Tasks that require root user credentials

Generally, Cyber Security controls should control or alert if the root address is used at all, it's a bad idea generally.

Want to learn more? Contact us here!