- 最新
- 最多得票
- 最多評論
An AWS account root user does have all the permissions for accessing any resources within that account unless not denied explicitly. Resources, which support resource based policy such as S3 bucket, can be denied access to root user by setting up explicit deny in bucket policy within that account.
Root user can view non-root IAM user access keys as well. This is why it's always best practice to delete root user secret/access keys to avoid unintended access to broader set of resources.
Child account's root user's permissions can be limited by Service Control Policy(SCP), through SCP, you can dictate what are those actions which child account's root user can do or can not do.
Hope this helps.
Comment here if you have additional questions, happy to help.
Abhishek
Hi,
you can use the iam:ListAccessKeys API to list all access key ids for a user, check here for more information. So, by iterating over all users, you could list all access key ids in an account.
I saw this https://awscli.amazonaws.com/v2/documentation/api/2.8.7/reference/iam/list-access-keys.html but i need to provide individual user name. Looking for some ref command for all users to get access key in csv foramat. Appreciate response
相關內容
AWS 官方已更新 2 年前
Thanks. Do you have sample command to pull the list of access key ID from management account. so i dont need to log-on to each individual account and run the command,
AWS Organizations allows managing multiple accounts but it doesn't give root users automatic access to child accounts. With that said, you have two options, if this is going to be recurring task, then setup cross account IAM role, where from management account, you can access child account resources or you need to go to each account and generate the list.
How I'd do it, if I'd have access to each account, set up CLI and iteratively run the following CLI command for each CLI profile:
aws iam list-users --output text | awk '{print $NF}' aws iam list-access-keys --user <for_each_user_retrieved from above command> --output text
This can be easily scripted and run for each CLI profile. Hope you find this helpful.
Does this help, or are you looking for something else?
Sorry for late reply. I have not checked the command but looks promising solution. hope i can post my comment here or ask new question on same topic, if require
Yes absolutely.