Skip to main content

Access AWS Account Root User Credentials

tip

See Centralized root access for member accounts for details on securing the root user credentials of your member accounts.

When taking actions in your Stax-managed AWS accounts with root user credentials, you may find that the AWS Console or API does not return information or permit you to perform certain tasks. This is due to a policy Stax implements to prevent the root user credentials from taking any actions in Stax-managed AWS accounts, thereby improving the security of the accounts.

There are some actions that only the root user credentials can perform. These can be reviewed within the AWS General Reference. In the event that you need to perform any of these tasks, you must request that Stax temporarily lifts these restrictions.

Before You Begin

  • Ensure you are a member of the Admin role in your Stax tenancy
  • Ensure you are the owner of the account in question, by reviewing your account ownership model
  • Ensure you have reviewed the Stax-managed AWS Account Email Address Format. Make sure the email address for each AWS account exists in your organization, and that you have access to read emails sent to them

Request a Temporary Lifting of Restrictions

Stax can lift the root user credential restrictions for a limited time period upon request. To authorize this, perform the following steps:

  1. Determine the AWS account IDs for the accounts you need the limitation raised in. You can retrieve these from the Accounts page in Stax
  2. Determine the time period you need the restrictions lifted for (from one to four hours). If appropriate, also determine the time at which you'd like for the restrictions to be lifted
  3. Raise a support case requesting that the restrictions be temporarily lifted, including the duration required and the time at which they should be lifted

What Happens Next?

The Stax team will respond to inform you of the status of your request. When the restrictions are lifted temporarily, you will receive confirmation via your support case. When the time period expires, the restrictions will be automatically restored.

The time period cannot be extended once it has commenced. If you need more time to perform your actions, you'll need to request a new time period using the process on this page.

Recover the root password for the account if you haven't done this before. You can follow the steps outlined in this article, How do I recover a lost or forgotten AWS password?

AWS recommendations related to the recovery of member account root login can be found in Accessing a member account as the root user.