

MFA Requirement for AWS Root Users
Starting at the end of March 2025, AWS will enforce Multi-Factor Authentication (MFA) for all AWS Organizations Member Account Root Users. Users will have the option to postpone MFA registration for up to 35 days by skipping the prompt. After this grace period, registration for one of the following MFA types will be mandatory:
- Passkeys and security keys
- Virtual authenticator applications
- Hardware TOTP tokensn
For more details, refer to the AWS Documentation.
Challenges with Multiple AWS Accounts
Managing MFA registration for numerous AWS Organizations member accounts can be a daunting task, especially if you have fifty or more accounts. Once you overcome this task, it is crucial to ensure that the right individuals have access to the accounts. There are instances where logging in as a Root user is necessary, such as when deleting an S3 bucket policy.
Fortunately, AWS provides a solution with the enforcement of MFA registration.
Enabling Centralized Root Access
- Manage your AWS accounts within AWS Organizations.
- Possess the following permissions:
- iam:EnableOrganizationsRootCredentialsManagement
- iam:EnableOrganizationsRootSessions
- organizations:RegisterDelegatedAdministrator
- organizations:EnableAwsServiceAccess
You can find Documentation on enabling these features within the AWS Console or AWS CLI.
We have successfully implemented this with the following Terraform code:
resource "aws_organizations_organization" "this" { aws_service_access_principals = [ "iam.amazonaws.com" ] } resource { enabled_features = [ "RootCredentialsManagement", "RootSessions" ] }
Removing Root Credentials at Scale
After enabling centralized root access, no changes will occur for the individual AWS organization member accounts. The next step involves removing root credentials for each AWS organization member account. If you have only a few accounts, you can perform this task via the AWS Console:
- Sign in to the AWS Management Console and open the IAM
- In the navigation pane, choose Root access management.
- Select a name from the member account list and choose Take privileged action.
- Choose the privileged action you want to take in the member account:
Select Delete root credentials to remove root access from a member account. This action deletes the root user password, access keys, signing certificates, and deactivates MFA for the member account.
Choose Delete root credentials.
For more information, refer to the AWS documentation on performing privileged tasks on AWS Organizations member accounts.
Since you cannot select multiple accounts simultaneously for privileged actions, manually removing root credentials across numerous accounts can be time-consuming and may take hours. To streamline this process, AWS has published a sample Bash script. This script has been adapted by us to also delete Access Keys, MFA devices, and Signing Certificates.
Important: Use this Bash script with caution
Before running the script, ensure the following:
- Install the AWS CLI.
- Set up the login profile “root-access-management” with permissions to perform all necessary actions.
#!/bin/bash # Specify the account IDs to exclude (comma-separated) EXCLUDED_ACCOUNTS="123456789" # Specify the AWS profile to use AWS_PROFILE="root-access-management" # Set the role name and additional parameters REGION="us-east-1" TASK_POLICY_ARN="arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials" # Function to handle errors handle_error() { echo "Error on line $2: Command exited with status $1" >&2 exit "$1" } # Get the list of accounts in the organization ACCOUNTS=$(aws organizations list-accounts --profile $AWS_PROFILE --query 'Accounts[*].[Id]' --output text 2>&1) || handle_error $? $LINENO # Open a CSV file for writing : > root_user_deletion.csv # Create an empty file echo "AccountId,RootUserDeleted" >> root_user_deletion.csv # Iterate over each account for account_id in $ACCOUNTS; do # Check if the account is excluded if echo ",$EXCLUDED_ACCOUNTS," | grep -q ",$account_id,"; then echo "Skipping account $account_id as it is excluded." continue fi # Check if the account is suspended account_status=$(aws organizations describe-account --account-id "$account_id" --query 'Account.Status' --output text --profile $AWS_PROFILE) if [ "$account_status" = "SUSPENDED" ]; then echo "Skipping account $account_id as it is suspended." continue fi TARGET_PRINCIPAL="${account_id}" # Assume the role assume_role=$(aws sts assume-root \ --profile "$AWS_PROFILE" \ --region $REGION \ --task-policy-arn "$TASK_POLICY_ARN" \ --target-principal "$TARGET_PRINCIPAL" \ --output json)
Restricting Root Session Access
Only grant access to use the new root sessions with AssumeRoot to administrators and automations that require it. Within your organization’s management and delegated admin account for root management, grant sts:AssumeRoot permissions only to the persons and automations who need it.
You can further restrict the actions that an admin or automation principal can perform using the AWS Security Token Service (AWS STS) condition key sts:TaskPolicyArn verwenden, as shown in the following policy statement:
{ "Sid": "AllowLaunchingRootSessionsforS3Action", "Effect": "Allow", "Action": "sts:AssumeRoot", "Resource": "*", "Condition": { "StringEquals": { "sts:TaskPolicyARN":"arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy" } } }