AWS Centralized Root Access Management
AWS Centralized Root Access Management lets you eliminate root credentials from member accounts while keeping a secure break-glass procedure. Enable it from your management account, delegate administration to a trusted account, delete root credentials from members, and recover access when needed via password recovery - all without maintaining standing root credentials.
Introduction
If you're managing multiple AWS accounts through AWS Organizations, you've probably faced the challenge of securing root user credentials across all those member accounts. Each account has its own root user, each with powerful privileges that could cause serious damage if compromised. Traditionally, this meant either leaving root credentials active (a security risk) or manually managing them across dozens or hundreds of accounts (an operational nightmare).
AWS Centralized Root Access Management solves this problem elegantly. It allows you to delegate root access management to a single administrator account, delete root credentials from member accounts entirely, and still recover root access when you genuinely need it for emergencies. Think of it as having a secure "break-glass" procedure built right into AWS.
In this post, I'll walk you through the complete setup and day-to-day operations of this feature, including:
- Centralize root access management to a delegated administrator account
- Delete root user credentials from member accounts
- Recover root access in emergency (break-glass) scenarios
- Remove root credentials after emergency access is complete
Delegated Administrator Account: 111122223333 (IT SSO Management)
Part 1: One-Time Setup - Enable Centralized Root Access Management
Perform these steps from the Management/Payer Account
Prerequisites
- Signed into the management/payer account
- AWS Organizations enabled
- Required IAM permissions:
iam:EnableOrganizationsRootCredentialsManagementiam:EnableOrganizationsRootSessionsiam:ListOrganizationsFeaturesorganizations:EnableAwsServiceAccessorganizations:RegisterDelegatedAdministrator
Enabling centralized root access management is an organization-wide change. Ensure you have proper change management approval before proceeding, and test in a non-production organization first if possible.
Console Steps
- Sign in to the management account
- Open the IAM console: https://console.aws.amazon.com/iam/
- In the left navigation, choose Root access management
- Click Enable
- In Capabilities to enable, select both:
- Root credentials management
- Privileged root actions in member accounts
- Enter Delegated administrator account ID:
111122223333 - Click Enable
CLI Steps
# 1. Enable trusted access for IAM in Organizations
aws organizations enable-aws-service-access \
--service-principal iam.amazonaws.com
# 2. Enable root credentials management
aws iam enable-organizations-root-credentials-management
# 3. Enable privileged root actions
aws iam enable-organizations-root-sessions
# 4. Register delegated administrator
aws organizations register-delegated-administrator \
--service-principal iam.amazonaws.com \
--account-id 111122223333Choose a delegated administrator account that is already well-secured and used for identity management. Many organizations use their SSO/Identity Center management account for this purpose.
Part 2: Delete Root Credentials from Member Accounts
Perform these steps from the Delegated Admin Account (111122223333)
Console Steps
- Sign in to account 111122223333
- Open the IAM console: https://console.aws.amazon.com/iam/
- In the left navigation, choose Root access management
- You will see a list of all member accounts
- For each member account:
- Select the account from the list
- Click Take privileged action
- Select Delete root credentials
- Confirm the deletion
CLI Steps
# List all member accounts first
aws organizations list-accounts --query 'Accounts[*].[Id,Name]' --output table
# For each member account, delete root credentials:
MEMBER_ACCOUNT_ID="444455556666" # Replace with actual account ID
# Assume root with delete credentials policy
aws sts assume-root \
--target-principal $MEMBER_ACCOUNT_ID \
--task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials \
--duration-seconds 900
# Export the returned credentials
export AWS_ACCESS_KEY_ID="<AccessKeyId from response>"
export AWS_SECRET_ACCESS_KEY="<SecretAccessKey from response>"
export AWS_SESSION_TOKEN="<SessionToken from response>"
# Delete the root login profile
aws iam delete-login-profile
# Delete any access keys (if they exist)
aws iam list-access-keys
aws iam delete-access-key --access-key-id <key-id>
# Deactivate MFA (if configured)
aws iam list-mfa-devices
aws iam deactivate-mfa-device --serial-number <mfa-serial>
# Delete signing certificates (if any)
aws iam list-signing-certificates
aws iam delete-signing-certificate --certificate-id <cert-id>What Gets Deleted
- Root user password
- Root user access keys
- Root user signing certificates
- Multi-factor authentication (MFA) is deactivated
Deleting root credentials does not affect the root user email address. The email is still associated with the account and is required for password recovery during break-glass procedures.
Part 3: Break-Glass - Recover Root Access for Emergency
Perform these steps from the Delegated Admin Account (111122223333)
Use this procedure when you need emergency root access to a member account (e.g., SSO is down, need to fix a misconfigured policy).
Only use the break-glass procedure for genuine emergencies. Document the reason for each use and ensure you delete the root credentials again after completing the emergency task.
Console Steps
- Sign in to account 111122223333
- Open the IAM console: https://console.aws.amazon.com/iam/
- In the left navigation, choose Root access management
- Select the member account that needs emergency access
- Click Take privileged action
- Select Allow password recovery
- Click Allow password recovery to confirm
CLI Steps
MEMBER_ACCOUNT_ID="444455556666" # Replace with actual account ID
# Assume root with create password policy
aws sts assume-root \
--target-principal $MEMBER_ACCOUNT_ID \
--task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMCreateRootUserPassword \
--duration-seconds 900
# Export the returned credentials
export AWS_ACCESS_KEY_ID="<AccessKeyId from response>"
export AWS_SECRET_ACCESS_KEY="<SecretAccessKey from response>"
export AWS_SESSION_TOKEN="<SessionToken from response>"
# Enable password recovery
aws iam create-login-profileAfter Enabling Recovery
- The person with access to the root user email inbox for that member account goes to: https://console.aws.amazon.com/
- Enter the root user email address
- Click Forgot password?
- Follow the password reset flow via email
- Sign in as root user and complete the emergency task
Ensure your organization has documented who has access to root user email inboxes for each account. Consider using a shared mailbox or distribution list that multiple trusted administrators can access.
Part 4: Cleanup - Delete Root Credentials After Emergency
Perform these steps from the Delegated Admin Account (111122223333)
Important: Always delete root credentials after completing emergency access.
Console Steps
- Sign in to account 111122223333
- Open the IAM console: https://console.aws.amazon.com/iam/
- In the left navigation, choose Root access management
- Select the member account that was granted emergency access
- Click Take privileged action
- Select Delete root credentials
- Confirm the deletion
CLI Steps
MEMBER_ACCOUNT_ID="444455556666" # Replace with actual account ID
# Assume root with delete credentials policy
aws sts assume-root \
--target-principal $MEMBER_ACCOUNT_ID \
--task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials \
--duration-seconds 900
# Export the returned credentials
export AWS_ACCESS_KEY_ID="<AccessKeyId from response>"
export AWS_SECRET_ACCESS_KEY="<SecretAccessKey from response>"
export AWS_SESSION_TOKEN="<SessionToken from response>"
# Delete the root login profile
aws iam delete-login-profileQuick Reference Summary
| Action | Account to Use | Console Location |
|---|---|---|
| Enable centralized root access | Management/Payer | IAM → Root access management → Enable |
| Delete member root credentials | Delegated Admin (111122223333) | IAM → Root access management → Take privileged action |
| Allow password recovery (break-glass) | Delegated Admin (111122223333) | IAM → Root access management → Take privileged action |
| Reset root password | Root email inbox owner | AWS Console sign-in → Forgot password |
| Delete root credentials (cleanup) | Delegated Admin (111122223333) | IAM → Root access management → Take privileged action |
Additional Privileged Actions Available
From the delegated admin account, you can also perform these emergency actions without needing root credentials:
| Action | Use Case |
|---|---|
| Delete Amazon S3 bucket policy | Fix misconfigured bucket policy that denies all access |
| Delete Amazon SQS policy | Fix misconfigured queue policy that denies all access |
Troubleshooting
Common Issues and Solutions
Issue: "You are not authorized to perform this operation"
Cause: Missing required IAM permissions on the management account or delegated admin account.
Solution: Ensure the user or role has the permissions listed in the Prerequisites section. For the delegated admin, verify the account was successfully registered using aws organizations list-delegated-administrators --service-principal iam.amazonaws.com.
Issue: "Trusted access for IAM is not enabled"
Cause: The IAM service principal is not enabled for trusted access in Organizations.
Solution: Run aws organizations enable-aws-service-access --service-principal iam.amazonaws.com from the management account.
Issue: Cannot see member accounts in Root access management
Cause: You may be signed into the wrong account or the delegated admin was not properly registered.
Solution: Verify you are in the delegated admin account (111122223333). Check the registration status with aws organizations list-delegated-administrators from the management account.
Issue: Password reset email not received
Cause: Email may be in spam, or the root email address may be incorrect.
Solution: Check spam/junk folders. Verify the root email address in the AWS Organizations console under account details. Allow 5-10 minutes for email delivery.
Issue: "assume-root" command fails with AccessDenied
Cause: The calling identity does not have permission to assume root, or the feature is not enabled.
Solution: Verify both root credentials management and root sessions are enabled using aws iam list-organizations-features. Ensure the caller has sts:AssumeRoot permission.
Issue: Cannot delete root credentials - MFA device still active
Cause: The root user has an MFA device that must be deactivated first.
Solution: List MFA devices with aws iam list-mfa-devices and deactivate each one with aws iam deactivate-mfa-device --serial-number <arn> before deleting the login profile.
Conclusion
AWS Centralized Root Access Management is a game-changer for organizations running multi-account environments. By centralizing control to a delegated administrator, you can significantly reduce your security attack surface by eliminating root credentials from member accounts while still maintaining the ability to recover access when genuinely needed.
The key takeaways from this guide are:
- One-time setup from your management account enables the feature and designates a delegated admin
- Delete root credentials from member accounts to eliminate standing root access
- Break-glass recovery is always available when you need emergency root access
- Always clean up by deleting root credentials after emergency use
I highly recommend implementing this feature as part of your AWS security baseline. It aligns with AWS Well-Architected Framework best practices and makes audit and compliance much simpler since you can demonstrate that root credentials don't exist in your member accounts under normal operations.
If you have any questions or run into issues implementing this, feel free to reach out!