Centralize root access for member accounts
Root user credentials are the initial credentials assigned to each Amazon Web Services account that has complete access to all Amazon services and resources in the account. When you enable Amazon Organizations, you combine all your Amazon accounts into an organization for central management. Each member account has its own root user with default permissions to perform any action in the member account. We recommend you centrally secure the root user credentials of Amazon Web Services accounts managed using Amazon Organizations to prevent root user credential recovery and access at scale.
After you centralize root access, you can choose to delete root user credentials from member accounts in your organization. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA). New accounts you create in Amazon Organizations have no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user.
Note
While some Tasks that require root user credentials can be performed by the management account or delegated administrator for IAM, some tasks can only be performed when you sign in as the root user of an account.
If you need to recover root user credentials for a member account to perform one of these tasks, follow the steps in Perform a privileged task and select Allow password recovery. The person with access to the root user email inbox for the member account can then follow the steps to reset the root user password and sign in to the member account root user.
We recommend deleting root user credentials once you complete the task that requires access to the root user.
Prerequisites
Before you centralize root access, you must have an account configured with the following settings:
-
You must manage your Amazon Web Services accounts in Amazon Organizations.
-
You must have the following permissions to enable this feature in your organization:
-
iam:EnableOrganizationsRootCredentialsManagement
-
iam:EnableOrganizationsRootSessions
-
iam:ListOrganizationsFeatures
-
organizations:RegisterDelegatedAdministrator
-
organizations:EnableAwsServiceAccess
-
organizations:ListAccountsForParent
-
Enabling centralized root access (console)
To enable this feature for member accounts in the Amazon Web Services Management Console
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane of the console, choose Root access management, and then select Enable.
Note
If you see Root access management is disabled, enable trusted access for Amazon Identity and Access Management in Amazon Organizations. For details, see Amazon IAM and Amazon Organizations in the Amazon Organizations User Guide.
-
In the Capabilities to enable section, choose which features to enable.
-
Select Root credentials management to allow the management account and the delegated administrator for IAM to delete root user credentials for member accounts. You must enable Privileged root actions in member accounts to allow member accounts to recover their root user credentials after they have been deleted.
-
Select Privileged root actions in member accounts to allow the management account and the delegated administrator for IAM to perform certain tasks that require root user credentials.
-
-
(Optional) Enter the account ID of the Delegated administrator that is authorized to manage root user access and take privileged actions on member accounts. We recommend an account that is intended for security or management purposes.
-
Choose Enable.
Enabling centralized root access (Amazon CLI)
To enable centralized root access from the Amazon Command Line Interface (Amazon CLI)
-
If you haven't already enabled trusted access for Amazon Identity and Access Management in Amazon Organizations, use the following command: aws organizations enable-aws-service-access
. -
Use the following command to allow the management account and the delegated administrator to delete root user credentials for member accounts: aws iam enable-organizations-root-credentials-management
. -
Use the following command to allow the management account and the delegated administrator to perform certain tasks that require root user credentials: aws iam enable-organizations-root-sessions
. -
(Optional) Use the following command to register a delegated administrator: aws organizations register-delegated-administrator
. The following example assigns account 111111111111 as the delegated administrator for the IAM service.
aws organizations register-delegated-administrator --service-principal iam.amazonaws.com --account-id
111111111111
Enabling centralized root access (Amazon API)
To enable centralized root access from the Amazon API
-
If you haven't already enabled trusted access for Amazon Identity and Access Management in Amazon Organizations, use the following command: EnableAWSServiceAccess.
-
Use the following command to allow the management account and the delegated administrator to delete root user credentials for member accounts: EnableOrganizationsRootCredentialsManagement.
-
Use the following command to allow the management account and the delegated administrator to perform certain tasks that require root user credentials: EnableOrganizationsRootSessions.
-
(Optional) Use the following command to register a delegated administrator: RegisterDelegatedAdministrator.
Next steps
Once you've centrally secured privileged credentials for the member accounts in your organization, see Perform a privileged task to take privileged actions on a member account.