Perform a privileged task on an Amazon Organizations member account - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Perform a privileged task on an Amazon Organizations member account

The Amazon Organizations management account or a delegated administrator account for IAM can perform some root user tasks on member accounts using short-term root access. These tasks can only be performed when you sign in as the root user of an account. Short-term privileged sessions give you temporary credentials that you can scope to take privileged actions on a member account in your organization.

Once you launch a privileged session, you can delete a misconfigured Amazon S3 bucket policy, delete a misconfigured Amazon SQS queue policy, delete the root user credentials for a member account, and reenable root user credentials for a member account.

Prerequisites

Before you can launch a privileged session, you must have the following settings:

  • You have enabled centralized root access in your organization. For steps to enable this feature, see Centralize root access for member accounts.

  • Your management account or delegated administrator account has the following permissions: sts:AssumeRoot

Taking a privileged action on a member account (console)

To launch a session for privileged action in a member account in the Amazon Web Services Management Console
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane of the console, choose Root access management.

  3. Select a name from the member account list, and choose Take privileged action.

  4. Choose the privileged action you want to take in the member account.

    • Select Delete Amazon S3 bucket policy to remove a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.

      1. Choose Browse S3 to select a name from the buckets owned by the member account, and select Choose.

      2. Choose Delete bucket policy.

      3. Use the Amazon S3 console to correct the bucket policy after deleting the misconfigured policy. For more information, see Adding a bucket policy by using the Amazon S3 console in the Amazon S3 User Guide.

    • Select Delete Amazon SQS policy to delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.

      1. Enter the queue name in SQS queue name, and select Delete SQS policy.

      2. Use the Amazon SQS console to correct the queue policy after deleting the misconfigured policy. For more information, see Configuring an access policy in Amazon SQS in the Amazon SQS Developer Guide.

    • Select Delete root credentials to remove root access from a member account. Deleting root user credentials removes the root user password, access keys, signing certificates, and deactivates multi-factor authentication (MFA) for the member account.

      1. Choose Delete root credentials.

    • Select Allow password recovery to recover root user credentials for a member account.

      This option is only available when the member account has no root user credentials.

      1. Choose Allow password recovery.

      2. After taking this privileged action, the person with access to the root user email inbox for the member account can reset the root user password and sign in to the member account root user.

Taking a privileged action on a member account (Amazon CLI)

To launch a session for privileged action in a member account from the Amazon Command Line Interface
  1. Use the following command to assume a root user session: aws sts assume-root.

    Note

    The global endpoint is not supported for sts:AssumeRoot. You must send this request to a Regional Amazon STS endpoint. For more information, see Manage Amazon STS in an Amazon Web Services Region.

    When you launch a privileged root user session for a member account, you must define task-policy-arn to scope the session to the privileged action to be performed during the session. You can use one of following Amazon managed policies to scope privileged session actions.

    To limit the actions a management account or delegated administrator can perform during a privileged root user session, you can use the Amazon STS condition key sts:TaskPolicyArn.

    In the following example, the delegated administrator assumes root to delete the root user credentials for the member account ID 111122223333.

    aws sts assume-root \ --target-principal 111122223333 \ --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials \ --duration-seconds 900
  2. Use the AccessKeyId and SecretAccessKey from the response to perform privileged actions in the member account. You can omit the user name and password in the request to default to the member account.

Taking a privileged action on a member account (Amazon API)

To launch a session for privileged action in a member account from the Amazon API
  1. Use the following command to assume a root user session: AssumeRoot.

    Note

    The global endpoint is not supported for AssumeRoot. You must send this request to a Regional Amazon STS endpoint. For more information, see Manage Amazon STS in an Amazon Web Services Region.

    When you launch a privileged root user session for a member account, you must define TaskPolicyArn to scope the session to the privileged action to be performed during the session. You can use one of following Amazon managed policies to scope privileged session actions.

    To limit the actions a management account or delegated administrator can perform during a privileged root user session, you can use the Amazon STS condition key sts:TaskPolicyArn.

    In the following example, the delegated administrator assumes root to read, edit and delete a misconfigured resource-based policy for an Amazon S3 bucket for the member account ID 111122223333.

    https://sts.us-east-2.amazonaws.com/ ?Version=2011-06-15 &Action=AssumeRoot &TargetPrincipal=111122223333 &PolicyArns.arn=arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy &DurationSeconds 900
  2. Use the AccessKeyId and SecretAccessKey from the response to perform privileged actions in the member account. You can omit the user name and password in the request to default to the member account.