Automatically roll out IAM Root Access Management

Managing root credentials at scale has always been a tiresome process, with the recommendation to use hardware MFA an added hurdle. We used to overcome this quite easily when engineers were in the office, an engineer would follow a simple, but time consuming process

Check out the hardware MFA key out of the safe location
Create the account - using IaC
Reset the password on the account - storing this in a centralised password manager
Log in to the account and set up the hardware MFA
Re-check the key back

When COVID hit, we adapted into a remote first way of working but this made it ever so difficult to manage and we felt we were always chasing down accounts to enable MFA. This eventually lead to our TAM's chasing us when accounts slipped out of the net.

The introduction of Root Access Management has eradicated this process and, once enabled, all newly created accounts are safe - even password reset functionality is disabled.

For older accounts, we can use the UI to manually remove the credentials across each account, but with a large number of accounts clicking around in the UI and manually enabling each account was not an option.

To roll this automatically I wrote a simple python application that will allow me to open up a cloudshell on the management account, check out a repo and leave it to it. It comes with skip flags for each item that is being removed and a dry mode to show what will happen across the org.

https://github.com/WPP-Public/aws-root-access-management

Usage example

Skip signing certificates

It's as simple as that, but if you want the details of how it works, continue reading.

The meaty bit - broken down

Essentially, what we are doing is - enabling root access management, iterating over each account, assuming root and running the disables.

Enabling root access management

Iterating each account and for each account:

Site Terms, Privacy, and more.

Automatically roll out IAM Root Access Management

Comments