Image

Image
from Raphael Eymann
Cloud Engineer

MFA Requirement for AWS Root Users

Starting at the end of March 2025, AWS will enforce Multi-Factor Authentication (MFA) for all AWS Organizations Member Account Root Users. Users will have the option to postpone MFA registration for up to 35 days by skipping the prompt. After this grace period, registration for one of the following MFA types will be mandatory:

  • Passkeys and security keys
  • Virtual authenticator applications
  • Hardware TOTP tokensn

For more details, refer to the AWS Documentation.

Challenges with Multiple AWS Accounts

Managing MFA registration for numerous AWS Organizations member accounts can be a daunting task, especially if you have fifty or more accounts. Once you overcome this task, it is crucial to ensure that the right individuals have access to the accounts. There are instances where logging in as a Root user is necessary, such as when deleting an S3 bucket policy.

Fortunately, AWS provides a solution with the enforcement of MFA registration.

Enabling Centralized Root Access

  • Manage your AWS accounts within AWS Organizations.
  • Possess the following permissions:
    • iam:EnableOrganizationsRootCredentialsManagement
    • iam:EnableOrganizationsRootSessions
    • organizations:RegisterDelegatedAdministrator
    • organizations:EnableAwsServiceAccess

You can find Documentation on enabling these features within the AWS Console or AWS CLI.

We have successfully implemented this with the following Terraform code:

resource "aws_organizations_organization" "this" {
 aws_service_access_principals = [
   "iam.amazonaws.com"
 ]
}
resource  {
 enabled_features = [
 "RootCredentialsManagement",
 "RootSessions"
 ]
}

Removing Root Credentials at Scale

After enabling centralized root access, no changes will occur for the individual AWS organization member accounts. The next step involves removing root credentials for each AWS organization member account. If you have only a few accounts, you can perform this task via the AWS Console:

  1. Sign in to the AWS Management Console and open the IAM
  2. In the navigation pane, choose Root access management.
  3. Select a name from the member account list and choose Take privileged action.
  4. Choose the privileged action you want to take in the member account:
    Select Delete root credentials to remove root access from a member account. This action deletes the root user password, access keys, signing certificates, and deactivates MFA for the member account.
    Choose Delete root credentials.

For more information, refer to the AWS documentation on performing privileged tasks on AWS Organizations member accounts.

Since you cannot select multiple accounts simultaneously for privileged actions, manually removing root credentials across numerous accounts can be time-consuming and may take hours. To streamline this process, AWS has published a sample Bash script. This script has been adapted by us to also delete Access Keys, MFA devices, and Signing Certificates.

Important: Use this Bash script with caution

Before running the script, ensure the following:

  • Install the AWS CLI.
  • Set up the login profile “root-access-management” with permissions to perform all necessary actions.
#!/bin/bash

# Specify the account IDs to exclude (comma-separated)
EXCLUDED_ACCOUNTS="123456789"

# Specify the AWS profile to use
AWS_PROFILE="root-access-management"

# Set the role name and additional parameters
REGION="us-east-1"
TASK_POLICY_ARN="arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials"

# Function to handle errors
handle_error() {
 echo "Error on line $2: Command exited with status $1" >&2
 exit "$1"
}

# Get the list of accounts in the organization
ACCOUNTS=$(aws organizations list-accounts  --profile $AWS_PROFILE  --query 'Accounts[*].[Id]' --output text 2>&1) || handle_error $? $LINENO

# Open a CSV file for writing
: > root_user_deletion.csv  # Create an empty file
echo "AccountId,RootUserDeleted" >> root_user_deletion.csv

# Iterate over each account
for account_id in $ACCOUNTS; do
  # Check if the account is excluded
  if echo ",$EXCLUDED_ACCOUNTS," | grep -q ",$account_id,"; then
     echo "Skipping account $account_id as it is excluded."
     continue
 fi

# Check if the account is suspended
  account_status=$(aws organizations describe-account --account-id "$account_id" --query 'Account.Status' --output text --profile $AWS_PROFILE)
  if [ "$account_status" = "SUSPENDED" ]; then
   echo "Skipping account $account_id as it is suspended."
   continue
  fi

TARGET_PRINCIPAL="${account_id}"

# Assume the role
 assume_role=$(aws  sts assume-root \
    --profile "$AWS_PROFILE" \
    --region $REGION \
    --task-policy-arn "$TASK_POLICY_ARN" \
    --target-principal "$TARGET_PRINCIPAL" \
    --output json)
By following these steps, you can efficiently manage the removal of root credentials across multiple AWS organization member accounts.

Restricting Root Session Access

Only grant access to use the new root sessions with AssumeRoot to administrators and automations that require it. Within your organization’s management and delegated admin account for root management, grant sts:AssumeRoot permissions only to the persons and automations who need it.

You can further restrict the actions that an admin or automation principal can perform using the AWS Security Token Service (AWS STS) condition key sts:TaskPolicyArn verwenden, as shown in the following policy statement:

{
  "Sid": "AllowLaunchingRootSessionsforS3Action",
  "Effect": "Allow",
  "Action": "sts:AssumeRoot",
  "Resource": "*",
   "Condition": {
      "StringEquals": {
        "sts:TaskPolicyARN":"arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy"
      }
   }
}
  
  
Image

An example of using GitOps for providing a modern application development platform

In this article, you’ll learn how GitOps with OpenShift GitOps (ArgoCD) automates infrastructure management, empowers developers and accelerates application delivery.
learn more
HYCU Teaser

The way forward in the exponential technology future: Simplify your data center footprint in the hybrid cloud era

We all find ourselves in a world rapidly moving towards exponential technological advancements. It is crucial for companies to not only adapt their IT platforms but also make them future-proof.
learn more
HYCU Teaser

The way forward in the exponential technology future: HYCU Data Protection: Resilient backup management for the hybrid cloud future

Have you also had the thought in recent months that technological development is advancing at a breathtaking pace?! In this blog, you quickly realise that you are not alone.
learn more
HYCU Story Teaser

Digital transformation with HYCU and Nutanix: the path to an exponential technology future

Digital transformation is no longer an option, but a necessity. Those who don’t adapt will be left behind. But what if you don’t just want to keep pace, but actively influence it? Find out in this blog post.
learn more