AWS Identity and Access Management (IAM) is launching a new capability allowing security teams to centrally manage root access for member accounts in AWS Organizations. You can now easily manage root credentials and perform highly privileged actions.
Managing root user credentials at scale
For a long time, Amazon Web Services (AWS) accounts were provisioned with highly privileged root user credentials, which had unrestricted access to the account. This root access, while powerful, also posed significant security risks. Each AWS account’s root user had to be secured by adding layers of protection like multi-factor authentication (MFA). Security teams were required to manage and secure these root credentials manually. The process involved rotating credentials periodically, storing them securely, and making sure that the credentials complied with security policies.
As our customers expanded their AWS environments, this manual approach became cumbersome and prone to error. For example, large enterprises operating hundreds or thousands of member accounts struggled to secure root access consistently across all accounts. The manual intervention not only added operational overhead but also created a lag in account provisioning, preventing full automation and increasing security risks. Root access, if not properly secured, could lead to account takeovers and unauthorized access to sensitive resources.
Furthermore, whenever specific root actions such as unlocking an Amazon Simple Storage Service (Amazon S3) bucket policy or an Amazon Simple Queue Service (Amazon SQS) resource policy were required, security teams had to retrieve and use root credentials, which only increased the attack surface. Even with rigorous monitoring and strong security policies, maintaining long-term root credentials opened doors to potential mismanagement, compliance risks, and manual errors.
Security teams began seeking a more automated, scalable solution. They needed a way to not only centralize the management of root credentials but also programmatically manage root access without needing long-term credentials in the first place.
Centrally manage root access
With the new ability to centrally manage root access, we address the longstanding challenge of managing root credentials across multiple accounts. This new capability introduces two essential capabilities: the central management of root credentials and root sessions. Together, they offer security teams a secure, scalable, and compliant way to manage root access across AWS Organizations member accounts.
Let’s first discuss the central management of root credentials. With this capability, you can now centrally manage and secure privileged root credentials across all accounts in AWS Organizations. Root credentials management allows you to:
But how can we make sure it remains possible to perform selected root actions on the accounts? This is the second capability we launch today: root sessions. It offers a secure alternative to maintaining long-term root access. Instead of manually accessing root credentials whenever privileged actions are required, security teams can now gain short-term, task-scoped root access to member accounts. This capability makes sure that actions such as unlocking S3 bucket policies or SQS queue policies can be performed securely without the need for long-term root credentials.
Root sessions key benefits include:
This new capability does not grant full root access. It provides temporary credentials for performing one of these five specific actions. The first three actions are possible with central management of root accounts. The last two come when enabling root sessions.
How to obtain root credentials on a member account
In this demo, I show you how to prepare your management account, create a member account without root credentials, and obtain temporary root credentials to make one of the five authorized API call on the member account. I assume you have an organization already created.
First, I create a member account.
aws organizations create-account
--email stormacq+rootaccountdemo@amazon.com
--account-name 'Root Accounts Demo account'
{
"CreateAccountStatus": {
"Id": "car-695abd4ee1ca4b85a34e5dcdcd1b944f",
"AccountName": "Root Accounts Demo account",
"State": "IN_PROGRESS",
"RequestedTimestamp": "2024-09-04T20:04:09.960000+00:00"
}
}
Then, I enable the two new capabilities on my management account. Don’t worry, these commands don’t alter the behavior of the accounts in any way other than enabling use of the new capability.
➜ aws organizations enable-aws-service-access
--service-principal iam.amazonaws.com
➜ aws iam enable-organizations-root-credentials-management
{
"OrganizationId": "o-rlrup7z3ao",
"EnabledFeatures": [
"RootCredentialsManagement"
]
}
➜ aws iam enable-organizations-root-sessions
{
"OrganizationId": "o-rlrup7z3ao",
"EnabledFeatures": [
"RootSessions",
"RootCredentialsManagement"
]
}
Alternatively, I can also use the console on the management account. Under Access management, I select Account settings.
Now, I’m ready to make requests to obtain temporary root credentials. I have to pass one of the five managed IAM policies to scope down the credentials to a specific action.
➜ aws sts assume-root
--target-principal <my member account id>
--task-policy-arn arn=arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy
{
"Credentials": {
"AccessKeyId": "AS....XIG",
"SecretAccessKey": "ao...QxG",
"SessionToken": "IQ...SS",
"Expiration": "2024-09-23T17:44:50+00:00"
}
}
Once I obtain the access key ID, the secret access key, and the session token, I use them as usual with the AWS Command Line Interface (AWS CLI) or an AWS SDKs.
For example, I can pass these three values as environment variables.
$ export AWS_ACCESS_KEY_ID=ASIA356SJWJITG32xxx
$ export AWS_SECRET_ACCESS_KEY=JFZzOAWWLocoq2of5Exxx
$ export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEMb//////////wEaCXVxxxx
Now that I received the temporary credentials, I can make a restricted API call as root on the member account. First, I verify I now have root credentials. The Arn
field confirms I’m working with the root account.
# Call get Caller Identity and observe I'm root in the member account
$ aws sts get-caller-identity
{
"UserId": "012345678901",
"Account": "012345678901",
"Arn": "arn:aws:iam::012345678901:root"
}
Then, I use the delete-bucket-policy
from S3 to remove an incorrect policy that has been applied to a bucket. The invalid policy removed all bucket access for everybody. Removing such policy requires root credentials.
aws s3api delete-bucket-policy --bucket my_bucket_with_incorrect_policy
When there is no output, it means the operation is successful. I can now apply a correct access policy to this bucket.
Credentials are valid only for 15 minutes. I wrote a short shell script to automate the process of getting the credentials as JSON, exporting the correct environment variables, and issuing the command I want to run as root.
Availability
Central management of root access is available at no additional cost in all AWS Regions except AWS GovCloud (US) and AWS China Regions, where there is no root account. Root sessions are available everywhere.
You can start using it through the IAM console, AWS CLI or AWS SDK. For more information, visit AWS account root user in our documentation and follow best practices for securing your AWS accounts.
— seb
Source: AWS News