Skip to main content
Latest Documentation
This is the latest documentation for the Cloud Posse Reference Architecture. To determine which version you're currently using, please see Version Identification.
Version: Latest
Sponsor @cloudposse

Centralized Root Access

Centralized root access management allows you to securely perform privileged root actions on member accounts without maintaining root credentials. This eliminates the need to manage root passwords or MFA devices for each AWS account.

Overview

AWS Organizations now supports centralized root access, which enables the management account (or a delegated administrator) to assume root on member accounts for specific privileged tasks. This is configured through the RootAccess permission set in IAM Identity Center.

With centralized root access:

  1. No root credentials needed — Member accounts have no root passwords, access keys, or MFA devices
  2. Task-scoped access — Root access is limited to specific AWS-managed task policies
  3. Audit trail — All root operations are logged through CloudTrail
  4. Centralized control — Only users with the RootAccess permission set can assume root

Prerequisites

Before using centralized root access, enable the feature in your AWS Organization:

  1. Sign in to the AWS Management Console as the root account
  2. Navigate to IAM → Root access management
  3. Enable both "Root credentials management" and "Privileged root actions"
  4. Deploy the aws-sso component which configures the RootAccess permission set
tip

These prerequisites are typically completed during the account setup or cold start process.

Available Task Policies

When assuming root, you must specify a task policy that limits what actions can be performed:

Task PolicyDescription
IAMAuditRootUserCredentialsAudit root user credentials across member accounts
IAMCreateRootUserPasswordCreate a root user password (for recovery)
IAMDeleteRootUserCredentialsDelete root passwords, access keys, MFA devices
S3UnlockBucketPolicyUnlock S3 bucket policies that deny all access
SQSUnlockQueuePolicyUnlock SQS queue policies that deny all access

Using Centralized Root Access

Atmos supports the aws/assume-root identity kind, which chains from an SSO permission set to assume root in target accounts with a specific task policy.

Configuration

Define assume-root identities in your profile's atmos.yaml:

# profiles/managers/atmos.yaml
auth:
  identities:
    # Base identity with RootAccess permission set
    organizational-root-access:
      kind: aws/permission-set
      via:
        provider: sso
      principal:
        name: RootAccess
        account:
          name: core-root

    # Chain to assume root for auditing credentials
    plat-dev/audit-root:
      kind: aws/assume-root
      via:
        identity: organizational-root-access
      principal:
        target_principal: "123456789012"  # plat-dev account ID
        task_policy_arn: arn:aws:iam::aws:policy/root-task/IAMAuditRootUserCredentials

    # Chain to assume root for deleting credentials
    plat-dev/delete-root-credentials:
      kind: aws/assume-root
      via:
        identity: organizational-root-access
      principal:
        target_principal: "123456789012"  # plat-dev account ID
        task_policy_arn: arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials

Assume Root on a Member Account

  1. Authenticate directly with the assume-root identity for the specific task:
atmos auth login --identity plat-dev/audit-root
  1. Run commands as root on the member account:
atmos auth exec --identity plat-dev/audit-root -- aws iam list-mfa-devices
  1. Or start an interactive shell with root credentials:
atmos auth shell --identity plat-dev/audit-root
aws sts get-caller-identity

Example: Delete Root Credentials

To delete root credentials from a member account:

# Authenticate and run commands as root with the delete credentials task policy
atmos auth exec --identity plat-dev/delete-root-credentials -- \
  aws iam delete-access-key --user-name root --access-key-id <KEY_ID>

# Or start a shell for multiple operations
atmos auth shell --identity plat-dev/delete-root-credentials

# Delete root MFA device
aws iam deactivate-mfa-device --user-name root --serial-number <MFA_ARN>
aws iam delete-virtual-mfa-device --serial-number <MFA_ARN>

Security Considerations

  1. Restrict access — Only the managers profile has the RootAccess permission set
  2. Task-scoped — Each assume-root session is limited to a specific task policy
  3. Short-lived — Root sessions have a maximum duration of 15 minutes
  4. Audited — All sts:AssumeRoot calls are logged in CloudTrail
  5. No standing access — Credentials are generated on-demand, not stored

Additional Information

For more details, see the AWS Centralized Root Access Documentation.

Next Steps

Deploy IAM roles

Now that we have Permission Sets deployed for human access, we need to configure IAM roles for machine users. Deploy IAM Roles