AWS account root user

• Use the root user only to perform the tasks that require root-level permissions. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

• Follow the root user best practices for your AWS account.

• If you're having trouble signing in see Sign in to the AWS Management Console.

• For help with root user issues, see Troubleshoot issues with the root user.

• To centrally manage root user email addresses in Organizations, see Updating the root user email address for a member account in the AWS Organizations User Guide.

• Remove member account root user credentials to prevent account recovery of the root user. You can also allow password recovery to recover root user credentials for a member account.

• Remove a misconfigured bucket policy that denies all principals from accessing an Amazon S3 bucket.

• Delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.

Account Management Tasks

• Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials.

• Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.

• Close your AWS account.

  For more information, see the following topics:

  • How do I assign ownership of my AWS account to another entity?.

  • How do I close my AWS account?.

  • Close a standalone AWS account.

Billing Tasks

• Activate IAM access to the Billing and Cost Management console.

• Some Billing tasks are limited to the root user. See Managing an AWS account in AWS Billing User Guide for more information.

• View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited (AISPL).

AWS GovCloud (US) Tasks

• Sign up for AWS GovCloud (US).

• Request AWS GovCloud (US) account root user access keys from AWS Support.

Amazon EC2 Task

• Register as a seller in the Reserved Instance Marketplace.

AWS KMS Task

• In the event that an AWS Key Management Service key becomes unmanageable, an administrator can recover it by contacting AWS Support; however, AWS Support responds to your root user's primary phone number for authorization by confirming the ticket OTP.

Amazon Mechanical Turk Task

• Link Your AWS account to your MTurk Requester account.

Amazon Simple Storage Service Tasks

• Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).

• Edit or delete an Amazon S3 bucket policy that denies all principals.

  You can use privileged actions to unlock an Amazon S3 bucket with a misconfigured bucket policy. For details, see Perform a privileged task on an AWS Organizations member account.

Amazon Simple Queue Service Task

• Edit or delete an Amazon SQS resource-based policy that denies all principals.

  You can use privileged actions to unlock an Amazon SQS queue with a misconfigured resource-based policy. For details, see Perform a privileged task on an AWS Organizations member account.

• What are some best practices for securing my AWS account and its resources?

• How can I create an EventBridge event rule to notify me that my root user was used?

• Monitor and notify on AWS account root user activity

• Monitor IAM root user activity