Access AWS Account Root User Credentials
See Centralized root access for member accounts for details on securing the root user credentials of your member accounts.
When taking actions in your Stax-managed AWS accounts with root user credentials, you may find that the AWS Console or API does not return information or permit you to perform certain tasks. This is due to a policy Stax implements to prevent the root user credentials from taking any actions in Stax-managed AWS accounts, thereby improving the security of the accounts.
There are some actions that only the root user credentials can perform. These can be reviewed within the AWS General Reference. In the event that you need to perform any of these tasks, you must lift these restrictions first.
This process used to require intervention by the Stax support team, but with Configurable Guardrails, you can now perform this entire activity yourself.
Before You Begin
- Ensure you are a member of the Admin role in your Stax tenancy
- Ensure you are the owner of the account in question, by reviewing your account ownership model
- Ensure you have reviewed the Stax-managed AWS Account Email Address Format. Make sure the email address for each AWS account exists in your organization, and that you have access to read emails sent to them
Temporarily lift restrictions on root user credentials
Using the Configurable Guardrails feature, disable the Block non-centralized root user access guardrail. This will allow you to interact with and provision/configure the root user credentials for accounts in your Stax-managed AWS Organization.
It is recommended that, once you've completed the activity with root user credentials, you re-enable the Block non-centralized root user access guardrail to help keep your accounts secure.
What Happens Next?
Recover the root password for the account if you haven't done this before. You can follow the steps outlined in this article, How do I recover a lost or forgotten AWS password?
AWS recommendations related to the recovery of member account root login can be found in Accessing a member account as the root user.