AWS Organization has centralized root credentials management enabled
iam_root_credentials_management_enabled
AWS Organizations uses centralized root credentials management to control root user credentials across member accounts.
This finding evaluates whether the organization has enabled the RootCredentialsManagement feature to centrally govern presence and recovery of root passwords, access keys, signing certificates, and MFA.
Risk
Without central control, member accounts can retain or recover long-term root credentials, weakening confidentiality and integrity.
Threats include:
- Account takeover via root email recovery
- Persistent access through root keys
- Unfixable lockouts from misconfigured policies
- Bypass of separation of duties
prowler aws --checks iam_root_credentials_management_enabled
Recommendation
Enable centralized root access with root credentials management and assign a delegated administrator.
Apply least privilege and separation of duties by deleting long-term root credentials in members, limiting privileged tasks to short-lived sessions, enforcing MFA, and auditing root-related activity for defense in depth.
Remediation
aws iam enable-organizations-root-credentials-management
- Sign in to the AWS Management Console with the management account and open IAM
- In the left pane, select "Root access management" and click "Enable"
- In "Capabilities to enable", select only "Root credentials management"
- Click "Enable" to apply
- If prompted, enable trusted access for IAM in AWS Organizations and retry step 3
Source Code
Resource Type
Other