---
title: AWS Organizations centralized root access management should be fully enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS Organizations centralized root
  access management should be fully enabled
---

# AWS Organizations centralized root access management should be fully enabled
 
## Description{% #description %}

AWS Organizations should have both centralized root access management features fully enabled: root sessions and root credentials management. Together, these features ensure that `sts:AssumeRoot` permissions are enforced exclusively through the management account, providing centralized control over root user sessions and the ability to remove long-term root credentials from member accounts. Without both features enabled, root access cannot be fully governed through permission boundaries and organizational policies.

## Remediation{% #remediation %}

Enable both centralized root access management features for the organization. From the management account, enable "Root sessions" to allow centralized root access via `sts:AssumeRoot`, and enable "Root credentials management" to remove and manage root credentials across member accounts. For guidance, refer to [Centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html).