Global outage event

If you're experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.

How do I set up centralized root access in IAM for member accounts?

2 minute read

I want to set up centralized root access for member accounts in AWS Identity and Access Management (IAM).

Resolution

You can secure root user credentials across the member accounts in your organization with centralized root access. You can also activate centralized root access to delete root user credentials from member accounts and perform privileged tasks without recovering root user credentials.

Prerequisites

Before you centralize root access, verify that you meet the following prerequisites.

Activate centralized root access

Centralized root access includes root credentials management and privileged root actions in member accounts. To activate centralized root access, use the AWS Management Console or the AWS Command Line Interface (AWS CLI).

Delete root user credentials

After you activate centralized root access, you can delete root credentials from member accounts to remove the root user's password, access keys, and signing certificates. You also deactivate multi-factor authentication (MFA).

Important: By default, new accounts that you create in AWS Organizations don't have root credentials. After you delete root user credentials, member accounts can't sign in to their root user or perform password recovery for their root user.

Perform privileged root actions

After you activate centralized root access, you can perform privileged tasks on member accounts without recovering root user credentials. You can delete misconfigured Amazon Simple Storage Service (Amazon S3) bucket policies, Amazon Simple Queue Service (Amazon SQS) queue policies, and manage root user credentials.

Note: Root sessions are limited to 15 minutes and task-scoped. All actions are logged in AWS CloudTrail for auditing.

Adjust SCPs to allow root sessions

If your organization has a service control policy (SCP) that denies all root user access, then adjust the SCP to include sts:AssumeRoot for task-scoped root sessions. If your SCP denies all root user access, then it blocks centralized root access sessions.

For an example SCP that allows scoped root sessions, see the service-control-policy-examples repository on the GitHub website.

Related information

Secure root user access for member accounts in AWS Organizations

AWS account root user

Security best practices in IAM

Topics: Security, Identity, & Compliance
Tags: AWS IAM Identity Center
Language: English

AWS OFFICIALUpdated a month ago

No comments

Relevant content

Centrally Manage Root Access
VS
asked a year ago
How do you change an member account name?
Accepted Answer
Jonathan Fox
asked a year ago
AWS Organization Member Account Password Reset?
GameFace
asked 6 months ago
Security Hub - IAM.9 MFA should be enabled for the root user - finding
Accepted Answer
cris
asked a year ago
Root User credentials for member account in an AWS Organization
Accepted Answer
Rajas Gujarathi
asked 2 years ago
Why can't I reset the root user password for my AWS account in IAM?
AWS OFFICIALUpdated a month ago
How do I reset a lost or broken MFA device for my IAM user or AWS account root user?
AWS OFFICIALUpdated 2 months ago
How do I change the email address of a member account in Organizations?
AWS OFFICIALUpdated 3 months ago
How do I troubleshoot MFA authentication failures for my AWS account root user?
AWS OFFICIALUpdated a month ago
Centralized Root Access in AWS Organizations: Benefits, Considerations, and Best Practices
EXPERT
AWS-Wole
published 6 months ago