MFA-Anforderung für AWS-Root-Benutzer

# Extract temporary credentials from the assume role response
AWS_ACCESS_KEY_ID=$(echo "$assume_role" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$assume_role" | jq -r '.Credentials.SecretAccessKey')
export AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN=$(echo "$assume_role" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN

# Attempt to delete the root user credentials
ROOT_USER_DELETED="true"

if aws iam delete-login-profile ; then
 echo "Deleted login profile for account $account_id"
else
 echo "Failed to delete login profile for account $account_id"
 ROOT_USER_DELETED="false"
 fi

# Delete all access keys for the root user
access_keys=$(aws iam list-access-keys --query 'AccessKeyMetadata[*].AccessKeyId' --output text)
 for key in $access_keys; do
  if aws iam delete-access-key --access-key-id "$key" ; then
   echo "Deleted access key $key for account $account_id"
	else
   echo "Failed to delete access key $key for account $account_id"
	ROOT_USER_DELETED="false"
  fi
done

# Deactivate and delete all MFA devices for the root user
mfa_devices=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --output text)
	for mfa_device in $mfa_devices; do
 if aws iam deactivate-mfa-device --serial-number "$mfa_device" ; then
  echo "Deactivated MFA device $mfa_device for account $account_id"
  else
  echo "Failed to deactivate MFA device $mfa_device for account $account_id"
  ROOT_USER_DELETED="false"
 fi
done

# Delete all signing certificates for the root user
signing_certs=$(aws iam list-signing-certificates --query 'Certificates[*].CertificateId' --output text)
for cert in $signing_certs; do
  if aws iam delete-signing-certificate --certificate-id "$cert" ; then
   echo "Deleted signing certificate $cert for account $account_id"
  else
   echo "Failed to delete signing certificate $cert for account $account_id"
   ROOT_USER_DELETED="false"
  fi
done

# Unset temporary credentials for security
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

# Write the account information to the CSV file
echo "$account_id,$ROOT_USER_DELETED" >> root_user_deletion.csv
done

echo "Root user deletion results have been written to root_user_deletion.csv"
 #!/bin/bash

# Specify the account IDs to exclude (comma-separated)
EXCLUDED_ACCOUNTS="123456789"

# Specify the AWS profile to use
AWS_PROFILE="root-access-management"

# Set the role name and additional parameters
REGION="us-east-1"
TASK_POLICY_ARN="arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials"

# Function to handle errors
handle_error() {
  echo "Error on line $2: Command exited with status $1" >&2
  exit "$1"
}

# Get the list of accounts in the organization
ACCOUNTS=$(aws organizations list-accounts  --profile $AWS_PROFILE  --query 'Accounts[*].[Id]' --output text 2>&1) || handle_error $? $LINENO

# Open a CSV file for writing
: > root_user_deletion.csv  # Create an empty file
echo "AccountId,RootUserDeleted" >> root_user_deletion.csv

# Iterate over each account
for account_id in $ACCOUNTS; do
 # Check if the account is excluded
   if echo ",$EXCLUDED_ACCOUNTS," | grep -q ",$account_id,"; then
    echo "Skipping account $account_id as it is excluded."
    continue
   fi

# Check if the account is suspended
account_status=$(aws organizations describe-account --account-id "$account_id" --query 'Account.Status' --output text --profile $AWS_PROFILE)
 if [ "$account_status" = "SUSPENDED" ]; then
  echo "Skipping account $account_id as it is suspended."
  continue
 fi

TARGET_PRINCIPAL="${account_id}"

# Assume the role
assume_role=$(aws  sts assume-root \
   --profile "$AWS_PROFILE" \
   --region $REGION \
   --task-policy-arn "$TASK_POLICY_ARN" \
   --target-principal "$TARGET_PRINCIPAL" \
   --output json)

# Extract temporary credentials from the assume role response
  WS_ACCESS_KEY_ID=$(echo "$assume_role" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$assume_role" | jq -r '.Credentials.SecretAccessKey')
export AWS_SECRET_ACCESS_KEY
  AWS_SESSION_TOKEN=$(echo "$assume_role" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN

# Attempt to delete the root user credentials
ROOT_USER_DELETED="true"

if aws iam delete-login-profile ; then
  echo "Deleted login profile for account $account_id"
else
  echo "Failed to delete login profile for account $account_id"
  ROOT_USER_DELETED="false"
fi

 # Delete all access keys for the root user
 access_keys=$(aws iam list-access-keys --query 'AccessKeyMetadata[*].AccessKeyId' --output text)
 for key in $access_keys; do
  if aws iam delete-access-key --access-key-id "$key" ; then
    echo "Deleted access key $key for account $account_id"
   else
    echo "Failed to delete access key $key for account $account_id"
   ROOT_USER_DELETED="false"
   fi
 done

# Deactivate and delete all MFA devices for the root user
mfa_devices=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --output text)
for mfa_device in $mfa_devices; do
 if aws iam deactivate-mfa-device --serial-number "$mfa_device" ; then
  echo "Deactivated MFA device $mfa_device for account $account_id"
 else
  echo "Failed to deactivate MFA device $mfa_device for account $account_id"
  ROOT_USER_DELETED="false"
 fi
done

 # Delete all signing certificates for the root user
 signing_certs=$(aws iam list-signing-certificates --query 'Certificates[*].CertificateId' --output text)
 for cert in $signing_certs; do
  if aws iam delete-signing-certificate --certificate-id "$cert" ; then
   echo "Deleted signing certificate $cert for account $account_id"
  else
   echo "Failed to delete signing certificate $cert for account $account_id"
   ROOT_USER_DELETED="false"
  fi
 done

 # Unset temporary credentials for security
 unset AWS_ACCESS_KEY_ID
 unset AWS_SECRET_ACCESS_KEY
 unset AWS_SESSION_TOKEN

 # Write the account information to the CSV file
 echo "$account_id,$ROOT_USER_DELETED" >> root_user_deletion.csv

done

echo "Root user deletion results have been written to root_user_deletion.csv"