Skip to content

aws-root-manager: Manage AWS root access in your organization

In AWS, managing root credentials has always been a friction point for organization administrators. Every time a new account was created, we had to configure MFA for root access following best practices and the maturity model. However, enabling MFA is a manual step, and with AWS Organizations, this problem scaled. We could ignore it, apply an SCP to block actions performed with the root user, and deal with the failed check reported by all security tools.

In 2023, AWS announced that MFA would become mandatory, and the time is near. On March 24, 2025, registering an MFA will be required when using the root user.

To address this issue, on November 15, 2024, AWS announced a new feature that allows centralized root access management within an organization without having to manually intervene in each account. However, if we have a large number of accounts, performing the actions one by one is not the most convenient approach.

To simplify this management, we have created aws-root-manager , a tool that efficiently and automatically manages the state of root credentials across all accounts in an organization.

logo

Introducing aws-root-manager

A CLI tool to streamline root access management in an AWS organization.

demo

Its features include:

  • Check if centralized root access is enabled.
  • Enable centralized root access.
  • Display the status of root credentials across all organization accounts.
  • Remove root credentials from all accounts that have them active.
  • Allow root password recovery.
  • Outputs in table, json, and csv formats.
  • A great account selector. 😎

Requirements

  • Access to your AWS management account from your terminal.

  • You will also need the following IAM permissions:

    iam:ListOrganizationsFeatures
    organizations:DescribeOrganization
    organizations:ListAccounts
    sts:AssumeRoot
    

  • Additionally, if root credential management is not enabled in your organization, the following permissions will be required to enable it:

    iam:EnableOrganizationsRootCredentialsManagement
    iam:EnableOrganizationsRootSessions (necesario únicamente cuando se vayan a eliminar *resource policies* de S3 o SQS)
    organizations:EnableAwsServiceAccess
    

Enabling Root User Management in AWS

Before using aws-root-manager, centralized root credential management must be enabled in AWS Organizations. This can be done in several ways:

The easiest and fastest way!

aws-root-manager enable

(Optional) To interact with resource policies, root sessions must also be enabled:

aws-root-manager enable --enableRootSessions

Ensure that trusted access is enabled for the IAM service:

aws organizations enable-aws-service-access \
  --service-principal iam.amazonaws.com

Enable root credential management in the organization:

aws iam enable-organizations-root-credentials-management

(Optional) To interact with resource policies, root sessions must also be enabled:

aws iam enable-organizations-root-sessions

We’ll redirect you to the official documentation since it’s perfectly explained there.

Try aws-root-manager!

You can find the tool and all the necessary information in our repo aws-root-manager . We invite you to try it and contribute improvements.

We hope aws-root-manager is useful to you!


And that's all folks!
If you have any questions or comments, feel free to reach out.

Saludos, and may the force be with you.