Perform root-user actions in member AWS accounts

In some cases you will need to perform an action in a member AWS account that can only be done by a root-user. Actions which can be only performed by the root user include changing your support plan, enabling multifactor authentication, or closing the account. For a longer list of root-user actions see this documentation.

In this lab you will learn the steps you need to take to log into a member AWS account.

Signing into a member AWS account

First, log in to your Management AWS account (preferably via AWS SSO). Search for AWS Organizations in the search field at the top of the screen and select it when it appears.

superwerker root-user-actions

In AWS Organizations you will see your multi-account structure. Click on ‘List’.

superwerker root-user-actions

Look for the member AWS account in which you want to perform a root user action and copy and paste the email address associated with the member AWS account.

You will now need to perform a password-reset for the root user if the AWS account, since AWS accounts created via AWS Organizations don’t have password set initially. Please refer to the AWS Organizations documentation for more details.

Open an incognito window in your browser and navigate to the AWS login page. Paste the email address of the member AWS account that you copied into the email field.

superwerker root-user-actions

You will now need to perform a password-reset for the root user if the AWS account, since AWS accounts created via AWS Organizations don’t have password set initially. Please refer to the AWS Organizations documentation for more details. So click on “forgotten password” and fill in the captcha.

superwerker root-user-actions

The password reset url has been routed to the AWS Systems Manager Parameter Store (with the superwerker RootMail feature). So go back to your AWS management account in the other window. Navigate to the AWS Systems Manager and click on Parameter Store in the menu to the left.

superwerker root-user-actions

Here you will find a parameter that begins with “superwerker/rootmail/pw-reset-link/…”, this is where the password reset url is stored. Click on the parameter and copy the password reset URL.

superwerker root-user-actions

Return to the incognito window. Go to the copied password reset URL. Reset the password. Choose a strong password preferably generated by your preferred password manager. We also recommend to use a one-time temporary password not stored anywhere, since this password reset procedure can be repeated.

Use the member AWS account email address and newly reset password to log in to the member AWS account in which you wish to perform a root-user action. From here on you can perform root-user actions for the AWS member account that you are signed into.