Detections
Analytics

2.1.1 Ensure centralized root access in AWS Organizations

Information

Ensure centralized root access management is enabled to manage and secure root user credentials for member accounts in AWS Organizations. This allows the management account and an optional delegated administrator account to centrally delete, prevent recovery of, and if necessary, perform short-lived, scoped root-required actions in member accounts without maintaining long-term root user credentials in each account.

The AWS account root user is a powerful, default administrative identity that is difficult to manage safely across many accounts. When each member account manages its own root credentials, organizations often end up with numerous long-lived root passwords, access keys, and MFA devices that are hard to inventory, rotate, and protect. Centralized root access management lets security teams remove or avoid creating root user credentials in member accounts, centrally review and manage any remaining root credentials, and perform necessary root-only tasks via short-term, task-scoped root sessions. This significantly reduces privileged credential sprawl, supports least privilege and dedicated administrator models, and improves visibility and auditability of root-level activity across the organization.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

-

Sign in to the AWS Management Console with the management account.

 -

In the console search bar, type Organizations and open AWS Organizations.

 - On the Overview page, confirm that an Organization exists and that this account is listed as the Management account.

 - In AWS Organizations, choose Services. Locate AWS Identity and Access Management in the list and, if it is not already enabled, choose Enable trusted access and confirm.

 - This allows IAM to integrate with AWS Organizations to manage root access centrally.

 - In the console search bar, type IAM and open IAM. In the left navigation pane, choose Root access management. If you see Root access management is disabled, choose Enable.

 - In the enable dialog, confirm that you want to - "Root credentials management" and if desired - "Privileged root actions in member accounts"
 - In the Delegated administrator field, enter the account ID of the account that will manage root user access and take privileged actions on member accounts. AWS recommends using an account intended for security or management purposes, not a general workload account.
 - When you enable centralized root access in the console, IAM also enables trusted access for IAM in AWS Organizations if it isn't already enabled.
 - Choose Enable to save the configuration.

Impact:

Enabling centralized root access management changes how root user access is obtained and used in member accounts, but it does not automatically remove existing root credentials. Organizations must plan when and how to delete or disable any existing root passwords, access keys, signing certificates, and MFA devices in member accounts and update any workflows that still rely on direct root sign-in. Security and operations teams will need to use centrally initiated, short-lived root sessions for exceptional tasks that truly require root. This may require procedural changes and additional training, but it significantly reduces long-lived privileged credential sprawl across the organization.

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), 800-53|AC-3, 800-53|AC-6(2), 800-53|AC-6(5)

Plugin: amazon_aws

Control ID: 4bde6a079511b369180aa8d7348d65f134a620ff375205d987fd42de66e4414d