Issue with IAM Admin User Console Password Being Disabled

Question

I am reaching out regarding an issue I’ve encountered while executing the script mentioned in the section "Remove root credentials at scale" from the following AWS blog post:
https://aws.amazon.com/blogs/security/secure-root-user-access-for-member-accounts-in-aws-organizations/

Issue Description:
While running the script, I’ve noticed that it is unexpectedly impacting the IAM admin user of the management account. Specifically, each time I execute the script, the console password for the IAM admin user is being disabled.

My Understanding:
The script is designed to remove root credentials for member accounts within AWS Organizations, but it should not affect any IAM users, particularly the IAM admin user of the management account.

Observed Behavior:
However, when running the script, the IAM admin user in the management account (which is used under the AWS_PROFILE on my local system to make API calls) appears to be impacted. This results in the console password for this IAM user being disabled.

Could you kindly help identify the potential cause of this issue and recommend any necessary modifications to the script?

Gary Mclean · Answer

Are your APi Credentials actually the roots Secret Keys your using to execute the script with?

cloudbuddy25 · Answer

No, API credentials that are used to execute scripts are based on IAM user credentials. Below is what I see from sts output.

$ aws sts get-caller-identity
{
    "UserId": "********************",
    "Account": "******************",
    "Arn": "arn:aws:iam::***************:user/iamuser2"
}

Riku_Kobayashi · Answer

Hello.

Will the password of the IAM user of the parent account of Organizations be deleted even if the account ID is added to "EXCLUDED_ACCOUNTS"?

Issue with IAM Admin User Console Password Being Disabled

Add your answer

Relevant content