Centralizing AWS Root User Management: A Best Practice for Security and Compliance

In today's complex cloud environments, managing access and permissions across multiple AWS accounts can be overwhelming and often a neglected task. One of the most critical aspects of this management is handling root user access for member accounts within an AWS Organization. In attempts to meet compliance, AWS customers are constantly setting root user credentials, enabling MFA, and then... promptly forgetting the password or where they stored their MFA devices.

To avoid these hassles, you can centralize root access for member accounts within IAM. This removes the root user credentials within your member accounts in your AWS Organization - eliminating the need to secure your root user and use SCPs to lock them down.

In this blog post, we'll review how to set up centralized root user management for member accounts as well as key considerations to setting this up in your existing AWS Organization.

Why Centralize Root User Management?

Before diving into the setup process, let's take a look at why centralizing root user management is crucial:

1. Enhanced Security: Centralizing control, mitigates the risk of unauthorized access to root user accounts by not having them exist.
2. Simplified Administration: Manage all member account root users from a single point - saves time and reduces complexity.
3. Simplified Policies: Centralization reduces the number of SCPs required in your AWS Organization.
4. Improved Compliance: Audit and reporting are far easier for reporting for compliance requirements.

Note: Centralizing root user management does not eliminate the requirement for a root user email address when creating an AWS account within your AWS Organization.

Prerequisites

Prior to configuring centralized root user management in your AWS Organization, we should first setup some best practices and remove some old ones:

1. Create or identify a member account within your AWS Organization. This AWS account will be the centralized point to manage root user access within your AWS Organization. With platformr we create our customers the Identity account which operates in your AWS Organization as the focal point to manage organizational identity operations. We will delegate the AWS Identity and Access Management to the Identity account

2. Remove any SCP that inhibits the root user in your AWS Organization. If you keep the SCP applied, it will cause failure in your attempts to remove root user credentials from your AWS Organization. A root user deny SCP is a common implementation in existing AWS Organizations, but no longer necessary. With platformr we have removed this within our Foundation deployment in order to support the modern centralized root user management.

Enabling Centralized Root User Management

For instructions on how to set up centralized root user management in your AWS Organization you can follow the documentation here: Enabling centralized root access. The instructions will guide you through actions taken within your management account of your AWS Organization.

While AWS documentation does not directly walk you through enabling trusted access for AWS Identity and Access Management in AWS Organizations, it does give you additional links to show you how to do it. To complete the task, all you need to do is:

1. Go into the AWS Organizations console in the management account
2. click on the Services link in the left-side vertical navigation, and
3. find the AWS Identity and Access Management link in the center of the page and click to start enabling:

Once enabled, you can view your status by going into the IAM console and on the left-side vertical navigation you can see the Account settings. In there you will see the Centralized root access for member accounts configuration where you can enableroot credentials managementas well as enablePrivileged root actions in member accounts`. It is a good idea to have both enabled. You can also delegate the administration of centralized root user management from the same page.

After enabling, you can go to the IAM console and on the left-side vertical navigation you can click on Root access management to open the list of accounts to see their status.

Initially the page will open up with listing the top-level OUs and you can view the list of accounts by clicking on the List link.

With the accounts listed out you should see Root user credentials listed in green font as Not present.

If an AWS account has a root user credential present, you will see it listed as Present. To remove the root user select the account then click on the Take privileged action button in the top right of the screen.

The following page gives the various privileged actions options you can take on the account. Select the Delete root user credentials option and click on the button on the bottom right of the page.

You will see the root credential of the account be removed and you may end up receiving an email about this change based on the root user email address associated with the credential. Repeat this process for all the member accounts.

If you had an error you will see details listed in red. This could mean:

1. You are logged in as the root user of the management account and it cannot view the details.
2. You may have an SCP blocking the root user.

Delegating Root User Management

Next you should delegate the administration of root user management in your AWS Organization. In an AWS Organization, delegating the management of AWS services allows administrators to grant specific member accounts the authority to manage certain AWS services on behalf of the organization. This delegation helps distribute administrative responsibilities, improve security, and reduce reliance on the management (root) account.

Important: Restricting access to the AWS management account is essential for maintaining security. Any AWS service that integrates with AWS Organizations should be delegated to a member account rather than being managed within the AWS management account.

To delegate administration of IAM to a member account, go back into the IAM console of your management account, click on IAM settings and update the section for Delegated administration for centralized root access.

You can also use the AWS CLI or SDK to delegate the administration. The following is an example CLI command for registering the delegated admin account. You will need to update the --account-id with the member account in your AWS Organization.


aws organizations register-delegated-administrator
--service-principal iam.amazonaws.com
--account-id 111111111111


To align with best practices, similar service management functions should be isolated within a dedicated account. In this case, it is recommended to create an Identity account specifically for this purpose. Within platformr, we automate the creation of the Identity account and the delegation of IAM root user management, along with IAM Access Analyzer, IAM Identity Center, and other identity-related services.

Once you have registered in the delegated admin for AWS Identity and Access Management, you can log into the delegated admin AWS account and use it instead of accessing the management account. Just as you saw in the management account the Root access management in IAM web console will be available in your delegated admin account.