from Raphael Eymann
Cloud Engineer

MFA Requirement for AWS Root Users

Starting at the end of March 2025, AWS will enforce Multi-Factor Authentication (MFA) for all AWS Organizations Member Account Root Users. Users will have the option to postpone MFA registration for up to 35 days by skipping the prompt. After this grace period, registration for one of the following MFA types will be mandatory:

Passkeys and security keys
Virtual authenticator applications
Hardware TOTP tokensn

For more details, refer to the AWS Documentation.

Challenges with Multiple AWS Accounts

Managing MFA registration for numerous AWS Organizations member accounts can be a daunting task, especially if you have fifty or more accounts. Once you overcome this task, it is crucial to ensure that the right individuals have access to the accounts. There are instances where logging in as a Root user is necessary, such as when deleting an S3 bucket policy.

Fortunately, AWS provides a solution with the enforcement of MFA registration.

Enabling Centralized Root Access

Manage your AWS accounts within AWS Organizations.
Possess the following permissions:
- iam:EnableOrganizationsRootCredentialsManagement
- iam:EnableOrganizationsRootSessions
- organizations:RegisterDelegatedAdministrator
- organizations:EnableAwsServiceAccess

You can find Documentation on enabling these features within the AWS Console or AWS CLI.

We have successfully implemented this with the following Terraform code:

resource "aws_organizations_organization" "this" {
 aws_service_access_principals = [
   "iam.amazonaws.com"
 ]
}
resource  {
 enabled_features = [
 "RootCredentialsManagement",
 "RootSessions"
 ]
}

Removing Root Credentials at Scale

After enabling centralized root access, no changes will occur for the individual AWS organization member accounts. The next step involves removing root credentials for each AWS organization member account. If you have only a few accounts, you can perform this task via the AWS Console:

Sign in to the AWS Management Console and open the IAM
In the navigation pane, choose Root access management.
Select a name from the member account list and choose Take privileged action.
Choose the privileged action you want to take in the member account:
Select Delete root credentials to remove root access from a member account. This action deletes the root user password, access keys, signing certificates, and deactivates MFA for the member account.
Choose Delete root credentials.

For more information, refer to the AWS documentation on performing privileged tasks on AWS Organizations member accounts.

Since you cannot select multiple accounts simultaneously for privileged actions, manually removing root credentials across numerous accounts can be time-consuming and may take hours. To streamline this process, AWS has published a sample Bash script. This script has been adapted by us to also delete Access Keys, MFA devices, and Signing Certificates.

Important: Use this Bash script with caution

Before running the script, ensure the following:

Install the AWS CLI.
Set up the login profile “root-access-management” with permissions to perform all necessary actions.

#!/bin/bash

# Specify the account IDs to exclude (comma-separated)
EXCLUDED_ACCOUNTS="123456789"

# Specify the AWS profile to use
AWS_PROFILE="root-access-management"

# Set the role name and additional parameters
REGION="us-east-1"
TASK_POLICY_ARN="arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials"

# Function to handle errors
handle_error() {
 echo "Error on line $2: Command exited with status $1" >&2
 exit "$1"
}

# Get the list of accounts in the organization
ACCOUNTS=$(aws organizations list-accounts  --profile $AWS_PROFILE  --query 'Accounts[*].[Id]' --output text 2>&1) || handle_error $? $LINENO

# Open a CSV file for writing
: > root_user_deletion.csv  # Create an empty file
echo "AccountId,RootUserDeleted" >> root_user_deletion.csv

# Iterate over each account
for account_id in $ACCOUNTS; do
  # Check if the account is excluded
  if echo ",$EXCLUDED_ACCOUNTS," | grep -q ",$account_id,"; then
     echo "Skipping account $account_id as it is excluded."
     continue
 fi

# Check if the account is suspended
  account_status=$(aws organizations describe-account --account-id "$account_id" --query 'Account.Status' --output text --profile $AWS_PROFILE)
  if [ "$account_status" = "SUSPENDED" ]; then
   echo "Skipping account $account_id as it is suspended."
   continue
  fi

TARGET_PRINCIPAL="${account_id}"

# Assume the role
 assume_role=$(aws  sts assume-root \
    --profile "$AWS_PROFILE" \
    --region $REGION \
    --task-policy-arn "$TASK_POLICY_ARN" \
    --target-principal "$TARGET_PRINCIPAL" \
    --output json)

# Extract temporary credentials from the assume role response
AWS_ACCESS_KEY_ID=$(echo "$assume_role" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$assume_role" | jq -r '.Credentials.SecretAccessKey')
export AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN=$(echo "$assume_role" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN

# Attempt to delete the root user credentials
ROOT_USER_DELETED="true"

if aws iam delete-login-profile ; then
 echo "Deleted login profile for account $account_id"
else
 echo "Failed to delete login profile for account $account_id"
 ROOT_USER_DELETED="false"
 fi

# Delete all access keys for the root user
access_keys=$(aws iam list-access-keys --query 'AccessKeyMetadata[*].AccessKeyId' --output text)
 for key in $access_keys; do
  if aws iam delete-access-key --access-key-id "$key" ; then
   echo "Deleted access key $key for account $account_id"
	else
   echo "Failed to delete access key $key for account $account_id"
	ROOT_USER_DELETED="false"
  fi
done

# Deactivate and delete all MFA devices for the root user
mfa_devices=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --output text)
	for mfa_device in $mfa_devices; do
 if aws iam deactivate-mfa-device --serial-number "$mfa_device" ; then
  echo "Deactivated MFA device $mfa_device for account $account_id"
  else
  echo "Failed to deactivate MFA device $mfa_device for account $account_id"
  ROOT_USER_DELETED="false"
 fi
done

# Delete all signing certificates for the root user
signing_certs=$(aws iam list-signing-certificates --query 'Certificates[*].CertificateId' --output text)
for cert in $signing_certs; do
  if aws iam delete-signing-certificate --certificate-id "$cert" ; then
   echo "Deleted signing certificate $cert for account $account_id"
  else
   echo "Failed to delete signing certificate $cert for account $account_id"
   ROOT_USER_DELETED="false"
  fi
done

# Unset temporary credentials for security
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

# Write the account information to the CSV file
echo "$account_id,$ROOT_USER_DELETED" >> root_user_deletion.csv
done

echo "Root user deletion results have been written to root_user_deletion.csv"
 #!/bin/bash

# Specify the account IDs to exclude (comma-separated)
EXCLUDED_ACCOUNTS="123456789"

# Specify the AWS profile to use
AWS_PROFILE="root-access-management"

# Set the role name and additional parameters
REGION="us-east-1"
TASK_POLICY_ARN="arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials"

# Function to handle errors
handle_error() {
  echo "Error on line $2: Command exited with status $1" >&2
  exit "$1"
}

# Get the list of accounts in the organization
ACCOUNTS=$(aws organizations list-accounts  --profile $AWS_PROFILE  --query 'Accounts[*].[Id]' --output text 2>&1) || handle_error $? $LINENO

# Open a CSV file for writing
: > root_user_deletion.csv  # Create an empty file
echo "AccountId,RootUserDeleted" >> root_user_deletion.csv

# Iterate over each account
for account_id in $ACCOUNTS; do
 # Check if the account is excluded
   if echo ",$EXCLUDED_ACCOUNTS," | grep -q ",$account_id,"; then
    echo "Skipping account $account_id as it is excluded."
    continue
   fi

# Check if the account is suspended
account_status=$(aws organizations describe-account --account-id "$account_id" --query 'Account.Status' --output text --profile $AWS_PROFILE)
 if [ "$account_status" = "SUSPENDED" ]; then
  echo "Skipping account $account_id as it is suspended."
  continue
 fi

TARGET_PRINCIPAL="${account_id}"

# Assume the role
assume_role=$(aws  sts assume-root \
   --profile "$AWS_PROFILE" \
   --region $REGION \
   --task-policy-arn "$TASK_POLICY_ARN" \
   --target-principal "$TARGET_PRINCIPAL" \
   --output json)

# Extract temporary credentials from the assume role response
  WS_ACCESS_KEY_ID=$(echo "$assume_role" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$assume_role" | jq -r '.Credentials.SecretAccessKey')
export AWS_SECRET_ACCESS_KEY
  AWS_SESSION_TOKEN=$(echo "$assume_role" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN

# Attempt to delete the root user credentials
ROOT_USER_DELETED="true"

if aws iam delete-login-profile ; then
  echo "Deleted login profile for account $account_id"
else
  echo "Failed to delete login profile for account $account_id"
  ROOT_USER_DELETED="false"
fi

 # Delete all access keys for the root user
 access_keys=$(aws iam list-access-keys --query 'AccessKeyMetadata[*].AccessKeyId' --output text)
 for key in $access_keys; do
  if aws iam delete-access-key --access-key-id "$key" ; then
    echo "Deleted access key $key for account $account_id"
   else
    echo "Failed to delete access key $key for account $account_id"
   ROOT_USER_DELETED="false"
   fi
 done

# Deactivate and delete all MFA devices for the root user
mfa_devices=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --output text)
for mfa_device in $mfa_devices; do
 if aws iam deactivate-mfa-device --serial-number "$mfa_device" ; then
  echo "Deactivated MFA device $mfa_device for account $account_id"
 else
  echo "Failed to deactivate MFA device $mfa_device for account $account_id"
  ROOT_USER_DELETED="false"
 fi
done

 # Delete all signing certificates for the root user
 signing_certs=$(aws iam list-signing-certificates --query 'Certificates[*].CertificateId' --output text)
 for cert in $signing_certs; do
  if aws iam delete-signing-certificate --certificate-id "$cert" ; then
   echo "Deleted signing certificate $cert for account $account_id"
  else
   echo "Failed to delete signing certificate $cert for account $account_id"
   ROOT_USER_DELETED="false"
  fi
 done

 # Unset temporary credentials for security
 unset AWS_ACCESS_KEY_ID
 unset AWS_SECRET_ACCESS_KEY
 unset AWS_SESSION_TOKEN

 # Write the account information to the CSV file
 echo "$account_id,$ROOT_USER_DELETED" >> root_user_deletion.csv

done

echo "Root user deletion results have been written to root_user_deletion.csv"

By following these steps, you can efficiently manage the removal of root credentials across multiple AWS organization member accounts.

Restricting Root Session Access

Only grant access to use the new root sessions with AssumeRoot to administrators and automations that require it. Within your organization’s management and delegated admin account for root management, grant sts:AssumeRoot permissions only to the persons and automations who need it.

You can further restrict the actions that an admin or automation principal can perform using the AWS Security Token Service (AWS STS) condition key sts:TaskPolicyArn verwenden, as shown in the following policy statement:

{
  "Sid": "AllowLaunchingRootSessionsforS3Action",
  "Effect": "Allow",
  "Action": "sts:AssumeRoot",
  "Resource": "*",
   "Condition": {
      "StringEquals": {
        "sts:TaskPolicyARN":"arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy"
      }
   }
}