By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to deactivate or remove the root user from an account in AWS?

0

Hello, currently organization accounts are created from a configuration designed in Step Functions. I am not using Account Factory. I need to disable or remove the root user.

Topics
ServerlessApplication IntegrationSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS Step FunctionsAWS Identity and Access ManagementAWS OrganizationsAWS Account Management
Language
English
Andres Cruz
asked 10 months ago3178 views
3 Answers
1

Hi. You cant remove root user but you can restrict root user actions by using SCP(except Management Account).

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

profile picture
EXPERT
Hiroki Takahashi
answered 10 months ago
1

This is a complex process because the root user is the initial account identity that is created when you first sign up for AWS. The root user has full access to the account's AWS services and resources.

To improve the security of your AWS account, AWS recommends reducing your reliance on the root user for everyday tasks. Here are some suggested practices:

  • Enable multi-factor authentication (MFA) on your root account to add an extra layer of security.
  • Create IAM users with the least amount of privilege required for the tasks that are typically performed in your account.
  • AWS Organizations can be used to manage permissions and create accounts without the need for a root user password or access keys.
  • AWS access keys should be rotated and removed on a regular basis.
profile picture
EXPERT
Sedat Salman
answered 10 months ago
0

f you have created organization accounts using a configuration in Step Functions and you want to disable or remove the root user, you can follow these steps:

Access the AWS Management Console using the root user credentials of the account you want to modify. Navigate to the IAM (Identity and Access Management) service. In the IAM console, click on "Users" in the left-hand menu. Locate the root user in the list of users and click on its name to access the user details. Click on the "Security credentials" tab. Under the "Login profile" section, click on the "Manage password" link. Choose the "Delete password" option to disable the root user's password. Click on "Apply" or "Save" to confirm the changes. By deleting the root user's password, you effectively disable the ability to log in as the root user. This helps improve the security of the account by enforcing the use of IAM users with appropriate permissions and least privilege principles.

It's important to note that disabling or removing the root user should be done with caution, as the root user has special privileges and is the ultimate authority in the account. Ensure that you have appropriate IAM users and roles configured with the necessary permissions before removing or disabling the root user.

rePost-User-pravikiranreddy
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content