Perform a privileged task on an Amazon Organizations member account
The Amazon Organizations management account or a delegated administrator account for IAM can perform some root user tasks on member accounts using short-term root access. These tasks can only be performed when you sign in as the root user of an account. Short-term privileged sessions give you temporary credentials that you can scope to take privileged actions on a member account in your organization.
Once you launch a privileged session, you can delete a misconfigured Amazon S3 bucket policy, delete a misconfigured Amazon SQS queue policy, delete the root user credentials for a member account, and reenable root user credentials for a member account.
Prerequisites
Before you can launch a privileged session, you must have the following settings:
-
You have enabled centralized root access in your organization. For steps to enable this feature, see Centralize root access for member accounts.
-
Your management account or delegated administrator account has the following permissions:
sts:AssumeRoot
Taking a privileged action on a member account (console)
To launch a session for privileged action in a member account in the Amazon Web Services Management Console
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane of the console, choose Root access management.
-
Select a name from the member account list, and choose Take privileged action.
-
Choose the privileged action you want to take in the member account.
-
Select Delete Amazon S3 bucket policy to remove a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.
-
Choose Browse S3 to select a name from the buckets owned by the member account, and select Choose.
-
Choose Delete bucket policy.
-
Use the Amazon S3 console to correct the bucket policy after deleting the misconfigured policy. For more information, see Adding a bucket policy by using the Amazon S3 console in the Amazon S3 User Guide.
-
-
Select Delete Amazon SQS policy to delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.
-
Enter the queue name in SQS queue name, and select Delete SQS policy.
-
Use the Amazon SQS console to correct the queue policy after deleting the misconfigured policy. For more information, see Configuring an access policy in Amazon SQS in the Amazon SQS Developer Guide.
-
-
Select Delete root credentials to remove root access from a member account. Deleting root user credentials removes the root user password, access keys, signing certificates, and deactivates multi-factor authentication (MFA) for the member account.
-
Choose Delete root credentials.
-
-
Select Allow password recovery to recover root user credentials for a member account.
This option is only available when the member account has no root user credentials.
-
Choose Allow password recovery.
-
After taking this privileged action, the person with access to the root user email inbox for the member account can reset the root user password and sign in to the member account root user.
-
-
Taking a privileged action on a member account (Amazon CLI)
To launch a session for privileged action in a member account from the Amazon Command Line Interface
-
Use the following command to assume a root user session: aws sts assume-root
. Note
The global endpoint is not supported for
sts:AssumeRoot
. You must send this request to a Regional Amazon STS endpoint. For more information, see Manage Amazon STS in an Amazon Web Services Region.When you launch a privileged root user session for a member account, you must define
task-policy-arn
to scope the session to the privileged action to be performed during the session. You can use one of following Amazon managed policies to scope privileged session actions.To limit the actions a management account or delegated administrator can perform during a privileged root user session, you can use the Amazon STS condition key sts:TaskPolicyArn.
In the following example, the delegated administrator assumes root to delete the root user credentials for the member account ID
111122223333
.aws sts assume-root \ --target-principal
111122223333
\ --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials
\ --duration-seconds900
-
Use the
AccessKeyId
andSecretAccessKey
from the response to perform privileged actions in the member account. You can omit the user name and password in the request to default to the member account.-
Check the status of root user credentials. Use the following commands to check the status of root user credentials for a member account.
-
Delete root user credentials. Use the following commands to delete root access. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA) to remove all access to and recovery of the root user.
-
Delete Amazon S3 bucket policy. Use the following commands to read, edit, and delete a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.
-
Delete Amazon SQS policy. Use the following commands to view and delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.
-
Allow password recovery. Use the following commands to view the user name and recover root user credentials for a member account.
-
Taking a privileged action on a member account (Amazon API)
To launch a session for privileged action in a member account from the Amazon API
-
Use the following command to assume a root user session: AssumeRoot.
Note
The global endpoint is not supported for AssumeRoot. You must send this request to a Regional Amazon STS endpoint. For more information, see Manage Amazon STS in an Amazon Web Services Region.
When you launch a privileged root user session for a member account, you must define
TaskPolicyArn
to scope the session to the privileged action to be performed during the session. You can use one of following Amazon managed policies to scope privileged session actions.To limit the actions a management account or delegated administrator can perform during a privileged root user session, you can use the Amazon STS condition key sts:TaskPolicyArn.
In the following example, the delegated administrator assumes root to read, edit and delete a misconfigured resource-based policy for an Amazon S3 bucket for the member account ID
111122223333
.https://sts.us-east-2.amazonaws.com/ ?Version=2011-06-15 &Action=AssumeRoot &TargetPrincipal=
111122223333
&PolicyArns.arn=arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy
&DurationSeconds900
-
Use the
AccessKeyId
andSecretAccessKey
from the response to perform privileged actions in the member account. You can omit the user name and password in the request to default to the member account.-
Check the status of root user credentials. Use the following commands to check the status of root user credentials for a member account.
-
Delete root user credentials. Use the following commands to delete root access. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA) to remove all access to and recovery of the root user.
-
Delete Amazon S3 bucket policy. Use the following commands to read, edit, and delete a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.
-
Delete Amazon SQS policy. Use the following commands to view and delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.
-
Allow password recovery. Use the following commands to view the user name and recover root user credentials for a member account.
-