Managing root user credentials across multiple AWS accounts has long been a challenge for organizations, especially those operating at scale. Recognizing this, AWS has introduced a new capability that allows security teams to centrally manage root access for member accounts within AWS Organizations.
What’s new?
Each AWS account is provisioned with a root user that has unrestricted access to all resources within the account. While this level of access is necessary for certain tasks, it poses significant security risks if not managed properly. Traditionally, organizations had to manually secure each root user by implementing measures like multi-factor authentication (MFA), rotating credentials, and monitoring usage. This manual approach becomes increasingly cumbersome and error-prone as the number of accounts grows.
Centralized Root Access Management
AWS’s new feature introduces two key capabilities to address these challenges.
Root Credentials Management – Security teams can now:
- Remove long-term root credentials: Eliminate passwords, access keys, and MFA devices associated with root users in member accounts.
- Prevent credential recovery: Disable the ability to recover root credentials, ensuring that they cannot be inadvertently or maliciously restored.
- Provision secure-by-default accounts: New accounts created within AWS Organizations can be set up without root credentials, reducing the risk from the outset.
- Demonstrate compliance: Centrally monitor and report on the status of root credentials across all accounts, aiding in compliance efforts.
Temporary Root Sessions – For tasks that require root-level access, AWS now allows the creation of short-term, task-scoped root sessions:
- Task-specific access: Grant root privileges for specific actions, such as unlocking an Amazon S3 bucket policy or an Amazon SQS queue policy.
- Time-limited sessions: Sessions are temporary, reducing the window of opportunity for potential misuse.
- Centralized execution: Initiate these sessions from a central management account or a delegated administrator account, streamlining operations.
Implementing centralized root access management offers several advantages:
- Enhanced Security: Reducing or eliminating long-term root credentials minimizes the attack surface.
- Operational Efficiency: Centralized management simplifies administrative tasks and reduces the need for manual interventions.
- Compliance Support: Easier monitoring and reporting facilitate adherence to security policies and regulatory requirements.
Getting Started
To implement this solution, complete the following steps:
- From your AWS Management Account, browse to the AWS IAM service
- Select “Root access management” from the menu, and select “Enable”. Once enabled we can now proceed to perform “privileged actions”.
- In the example below we can see that Root user credentials remain “Present”. By selecting this Account and “Take privileged action”, we are presented with options including the option to “Delete root credentials”.
By adopting these new features, organizations can significantly bolster their security posture while simplifying the management of root access across their AWS environments. For more info on getting started, please refer to the official AWS Blog post included below.
References
Announcement: Centrally manage member account root accounts
Documentation: Centralize root access for member accounts
About
With over 20 years in the technology sector, Keith has spent the last decade providing consultancy, support, and strategic direction to customers across multiple cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.