Managing root credentials at scale has always been a tiresome process, with the recommendation to use hardware MFA an added hurdle. We used to overcome this quite easily when engineers were in the office, an engineer would follow a simple, but time consuming process - Check out the hardware MFA key out of the safe location - Create the account - using IaC - Reset the password on the account - storing this in a centralized password manager - Log in to the account and set up the hardware MFA - Re-check the key back When COVID hit, we adapted into a remote first way of working but this made it ever so difficult to manage and we felt we were always chasing down accounts to enable MFA. This eventually lead to our TAM's chasing us when accounts slipped out of the net. The introduction of [Root Access Management](https://aws.amazon.com/blogs/aws/centrally-managing-root-access-for-customers-using-aws-organizations/) has eradicated this process and, once enabled, all newly created accounts are safe - even password reset functionality is disabled. For older accounts, we can use the UI to manually remove the credentials across each account, but with a large number of accounts clicking around in the UI and manually enabling each account was not an option. To roll this automatically I wrote a simple python application that will allow me to open up a cloudshell on the management account, check out a repo and leave it to it. It comes with skip flags for each item that is being removed and a dry mode to show what will happen across the org. **Usage example** ```bash git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management cd root-account-management python3 ./main.py ``` **Skip signing certificates** ```bash git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management cd root-account-management python3 ./main.py --skip-signing-certificates ``` It's as simple as that, but if you want the details of how it works, continue reading. **The meaty bit - broken down** Essentially, what we are doing is - enabling root access management, iterating over each account, assuming root and running the disables. Enabling root access management ```bash aws organizations enable-aws-service-access --service-principal iam.amazonaws.com aws iam enable-organizations-root-credentials-management aws iam enable-organizations-root-sessions ``` Iterating each account and for each account: ` ```bash aws sts assume-root --target-principal <account_id> --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials --duration-seconds 900 # Use the credentials given in the next commands aws iam get-login-profile # if exists aws iam delete-login-profile aws iam list-access-keys # iterate aws iam delete-access-key --access-key-id <access_key_id> aws iam list-signing-certificates # iterate aws iam delete-signing-certificate --certificate-id <certificate_id> aws iam list-mfa-devices # iterate aws iam deactivate-mfa-device --serial-number <serial_number> ``` `aws iam get-login-profile # if exists aws iam delete-login-profile aws iam list-access-keys # iterate aws iam delete-access-key --access-key-id <access_key_id> aws iam list-signing-certificates # iterate aws iam delete-signing-certificate --certificate-id <certificate_id> aws iam list-mfa-devices # iterate aws iam deactivate-mfa-device --serial-number <serial_number>` ## Sources [AWS \| Community \| Automatically roll out IAM Root Access Management](https://community.aws/content/2pOSyUMfp8gml8SbUvTuZjVawdE/automatically-roll-out-iam-root-access-management?lang=en)