Ensure Centralized Root Credentials Management is Enabled
Overview
This check verifies that AWS Organizations has enabled centralized management of root user credentials across member accounts. When enabled, the management account (and any delegated administrator) can control root passwords, access keys, signing certificates, and MFA settings for all member accounts from a single location.
Risk
Without centralized root credentials management, each member account retains full control over its own root user. This creates several security risks:
- Account compromise - Attackers could recover root access through email-based password reset
- Unauthorized access - Long-lived root access keys may persist undetected in member accounts
- Policy bypass - Root users can circumvent IAM policies and service control policies (SCPs)
- Accountability gaps - Decentralized root access makes it harder to track who did what
Severity: High
Remediation Steps
Prerequisites
- You must be signed in to the management account of your AWS Organization (not a member account)
- Your account must have AWS Organizations enabled with all features
- You need IAM permissions to enable trusted access for IAM in Organizations
AWS Console Method
-
Sign in to the AWS Management Console using your management account credentials
-
Navigate to IAM (search for "IAM" in the top search bar)
-
In the left navigation panel, look for Root access management (under Access management)
-
Click Enable to activate centralized root access
-
Select Root credentials management to enable this specific capability
-
If prompted, confirm that you want to enable trusted access for IAM in AWS Organizations
-
Click Confirm to complete the setup
AWS CLI Method
Before enabling centralized root credentials management, ensure trusted access for IAM is enabled in your organization:
# Enable trusted access for IAM in Organizations (if not already enabled)
aws organizations enable-aws-service-access \
--service-principal iam.amazonaws.com \
--region us-east-1
# Enable centralized root credentials management
aws iam enable-organizations-root-credentials-management \
--region us-east-1
Expected output:
{
"OrganizationId": "o-xxxxxxxxxx",
"EnabledFeatures": [
"RootCredentialsManagement"
]
}
Designating a Delegated Administrator (Optional)
You can designate another account in your organization to manage root credentials on behalf of the management account:
Via Console:
- In the IAM console, go to Root access management
- Under Delegated administrator, click Register delegated administrator
- Enter the Account ID of the member account you want to delegate to
- Click Register
Via CLI:
aws iam register-organization-delegated-policy-admin \
--account-id <delegated-account-id> \
--region us-east-1
Verification
After enabling, verify that centralized root credentials management is active:
- In the IAM console, go to Root access management
- Confirm that Root credentials management shows as Enabled
CLI Verification
# List enabled organization features for IAM
aws iam list-organizations-features \
--region us-east-1
Expected output when enabled:
{
"OrganizationId": "o-xxxxxxxxxx",
"EnabledFeatures": [
"RootCredentialsManagement"
]
}
If RootCredentialsManagement appears in the EnabledFeatures array, the feature is properly enabled.
Additional Resources
- Centrally manage root access for member accounts - AWS Documentation
- IAM and AWS Organizations - Organizations User Guide
- Best practices for the root user - IAM User Guide
Notes
-
Management account only - This feature can only be enabled from the management account of an AWS Organization, not from member accounts.
-
Requires Organizations - Your AWS accounts must be organized in AWS Organizations with all features enabled. This does not work with consolidated billing-only organizations.
-
Trusted access - Enabling this feature requires trusted access for IAM in AWS Organizations. The console will prompt you to enable this if it is not already configured.
-
Scope - Once enabled, the management account (or delegated administrator) can perform privileged actions on root credentials for member accounts, including removing long-term credentials and requiring MFA.
-
No disruption to existing access - Enabling centralized management does not immediately change or revoke existing root credentials in member accounts. You must take explicit action to remove or modify credentials after enablement.