Centralize root access for member accounts - AWS Identity and Access Management
PrerequisitesEnabling centralized root access (console)Enabling centralized root access (AWS CLI)Enabling centralized root access (AWS API)Next steps

Centralize root access for member accounts

Root user credentials are the initial credentials assigned to each AWS account that has complete access to all AWS services and resources in the account. When you enable AWS Organizations, you combine all your AWS accounts into an organization for central management. Each member account has its own root user with default permissions to perform any action in the member account. We recommend you centrally secure the root user credentials of AWS accounts managed using AWS Organizations to prevent root user credential recovery and access at scale.

After you centralize root access, you can choose to delete root user credentials from member accounts in your organization. You can remove the root user password, access keys, signing certificates, and deactivate and delete multi-factor authentication (MFA). New accounts you create in Organizations have no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user.

If you need to recover root user credentials for a member account, you can enable password recovery on the account. Some tasks can only be performed when you sign in as the root user of an account. Some of these Tasks that require root user credentials can be performed by the management account or delegated administrator for IAM. We recommend deleting root user credentials once you complete the task that requires access to the root user. To learn more about privileged tasks you can perform, see Perform a privileged task.

Prerequisites

Before you centralize root access, you must have an account configured with the following settings:

  • You must manage your AWS accounts in AWS Organizations.

  • Enable trusted access for AWS Identity and Access Management in AWS Organizations. For details, see IAM and AWS Organizations in the AWS Organizations User Guide.

You must have the following permissions to enable this feature in your organization:

  • iam:EnableOrganizationsRootCredentialsManagement

  • iam:EnableOrganizationsRootSessions

  • organizations:RegisterDelegatedAdministrator

  • organizations:EnableAwsServiceAccess

Enabling centralized root access (console)

To enable this feature for member accounts in the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the console, choose Root access management, and then select Enable.

    Note

    If you see Root access management is disabled, enable trusted access for AWS Identity and Access Management in AWS Organizations. For details, see AWS IAM and AWS Organizations in the AWS Organizations User Guide.

  3. In the Capabilities to enable section, choose which features to enable.

    • Select Root credentials management to allow the management account and the delegated admininstrator for IAM to delete root user credentials for member accounts. You must enable Privileged root actions in member accounts to allow member accounts to recover their root user credentials after they have been deleted.

    • Select Privileged root actions in member accounts to allow the management account and the delegated admininstrator for IAM to perform certain tasks that require root user credentials.

  4. (Optional) Enter the account ID of the Delegated administrator that is authorized to manage root user access and take privileged actions on member accounts. We recommend an account that is intended for security or management purposes.

  5. Choose Enable.

Enabling centralized root access (AWS CLI)

To enable centralized root access from the AWS Command Line Interface (AWS CLI)

  1. If you haven't already enabled trusted access for AWS Identity and Access Management in AWS Organizations, use the following command: aws organizations enable-aws-service-access.

  2. Use the following command to allow the management account and the delegated admininstrator to delete root user credentials for member accounts: aws iam enable-organizations-root-credentials-management.

  3. Use the following command to allow the management account and the delegated admininstrator to perform certain tasks that require root user credentials: aws iam enable-organizations-root-sessions.

  4. (Optional) Use the following command to register a delegated administrator: aws organizations register-delegated-administrator.

    The following example assigns account 111111111111 as the delegated administrator for the IAM service.

    aws organizations register-delegated-administrator 
--service-principal iam.amazonaws.com
--account-id 111111111111

Enabling centralized root access (AWS API)

To enable centralized root access from the AWS API

  1. If you haven't already enabled trusted access for AWS Identity and Access Management in AWS Organizations, use the following command: EnableAWSServiceAccess.

  2. Use the following command to allow the management account and the delegated admininstrator to delete root user credentials for member accounts: EnableOrganizationsRootCredentialsManagement.

  3. Use the following command to allow the management account and the delegated admininstrator to perform certain tasks that require root user credentials: EnableOrganizationsRootSessions.

  4. (Optional) Use the following command to register a delegated administrator: RegisterDelegatedAdministrator.

Next steps

Once you've centrally secured privileged credentials for the member accounts in your organization, see Perform a privileged task to take privileged actions on a member account.