Root user best practices for your AWS account - AWS Identity and Access Management

Root user best practices for your AWS account

When you first create an AWS account, you begin with a default set of credentials with complete access to all AWS resources in your account. This identity is called the AWS account root user. We strongly recommend you don’t access the AWS account root user unless you have a task that requires root user credentials. You need to secure your root user credentials and your account recovery mechanisms to help ensure you don’t expose your highly privileged credentials for unauthorized use.

For multiple AWS accounts managed through Organizations, we recommend removing root user credentials from member accounts to help prevent unauthorized use. You can remove the root user password, access keys, signing certificates, and deactivate and delete multi-factor authentication (MFA). Member accounts can't sign in to their root user or perform password recovery for their root user. For more information, see Centrally manage root access for member accounts.

Instead of accessing the root user, create an administrative user for everyday tasks.

With your administrative user, you can then create additional identities for users that need access to resources in your AWS account. We strongly recommend you require users to authenticate with temporary credentials when accessing AWS.

  • For a single, standalone AWS account, use IAM roles to create identities in your account with specific permissions. Roles are intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials, such as a password or access keys, associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Unlike IAM roles, IAM users have long-term credentials such as passwords and access keys. Where possible, best practices recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys.

  • For multiple AWS accounts managed through Organizations, use IAM Identity Center workforce users. With IAM Identity Center, you can centrally manage users across your AWS accounts and permissions within those accounts. Manage your user identities with IAM Identity Center or from an external identity provider. For more information, see What is AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

Secure your root user credentials to prevent unauthorized use

Secure your root user credentials and use them for only the tasks that require them. To help prevent unauthorized use, don’t share your root user password, MFA, access keys, CloudFront key pairs, or signing certificates with anyone, except those that have a strict business need to access the root user.

Don't store the root user password with tools that depend on AWS services in an account that is accessed using that same password. If you lose or forget your root user password, you will not be able to access these tools. We recommend that you prioritize resiliency and consider requiring two or more people to authorize access to the storage location. Access to the password or its storage location should be logged and monitored.

Use a strong root user password to help protect access

We recommend that you use a password that is strong and unique. Tools such as password managers with strong password generation algorithms can help you achieve these goals. AWS requires that your password meet the following conditions:

  • It must have a minimum of 8 characters and a maximum of 128 characters.

  • It must include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * () <> [] {} | _+-= symbols.

  • It must not be identical to your AWS account name or email address.

For more information, see Change the password for the AWS account root user.

Secure your root user sign-in with multi-factor authentication (MFA)

Because a root user can perform privileged actions, it's crucial to add MFA for the root user as a second authentication factor in addition to the email address and password as sign-in credentials. We strongly recommend enabling multiple MFA for your root user credentials to provide additional flexibility and resiliency in your security strategy. You can register up to eight MFA devices of any combination of the currently supported MFA types with your AWS account root user.

Don't create access keys for the root user

Access keys let you run commands in the AWS Command Line Interface (AWS CLI) or use API operations from one of the AWS SDKs. We strongly recommend that you do not create access key pairs for your root user because the root user has full access to all AWS services and resources in the account, including billing information.

Since only a few tasks require the root user and you typically perform those tasks infrequently, we recommend signing in to the AWS Management Console to perform root user tasks. Before creating access keys, review the alternatives to long-term access keys.

Use multi-person approval for root user sign-in wherever possible

Consider using multi-person approval to ensure that no one person can access both MFA and password for the root user. Some companies add an additional layer of security by setting up one group of administrators with access to the password, and another group of administrators with access to MFA. One member from each group must come together to sign in as the root user.

Use a group email address for root user credentials

Use an email address that is managed by your business and forwards received messages directly to a group of users. If AWS must contact the owner of the account, this approach reduces the risk of delays in responding, even if individuals are on vacation, out sick, or have left the business. The email address used for the root user should not be used for other purposes.

Restrict access to account recovery mechanisms

Ensure you develop a process to manage root user credential recovery mechanisms in case you need access to it during emergency such as takeover of your administrative account.

  • Ensure you have access to your root user email inbox so that you can reset a lost or forgotten root user password.

  • If MFA for your AWS account root user is lost, damaged, or not working, you can sign in using another MFA registered to the same root user credentials. If you lost access to all your MFAs, you need both the phone number and the email used to register your account, to be up to date and accessible to recover your MFA. For details, see Recovering a root user MFA device.

  • If you choose not to store your root user password and MFA, then the phone number registered in your account can be used as an alternate way to recover root user credentials. Ensure you have access to the contact phone number, keep the phone number updated, and limit who has access to manage the phone number.

No one person should have access to both the email inbox and phone number since both are verification channels to recover your root user password. It is important to have two groups of individuals managing these channels. One group having access to your primary email address and another group having access to the primary phone number to recover access to your account as root user.

Secure your Organizations account root user credentials

As you move to a multi-account strategy with Organizations, each of your AWS accounts has its own root user credentials that you need to secure. The account you use to create your organization is the management account and the rest of the accounts in your organization are member accounts.

Secure root user credentials for member accounts

If you use Organizations to manage multiple accounts, there are two strategies that you can take to secure root user access in your Organizations.

  • Centralize root access and remove root user credentials from member accounts. You can remove the root user password, access keys, signing certificates, and deactivate and delete multi-factor authentication (MFA). Member accounts can't sign in to their root user or perform password recovery for their root user. For more information, see Centrally manage root access for member accounts.

  • Secure root user credentials of your Organizations accounts with MFA.

For details, see Accessing member accounts in your organization in the Organizations User Guide.

Set preventative security controls in Organizations using a service control policy (SCP)

If the member accounts in your organization have root user credentials enabled, you can apply an SCP to restrict access to member account root user. Denying all root user actions in your member accounts, except for certain root-only actions, helps prevent unauthorized access. For details, see Use an SCP to restrict what the root user in your member accounts can do.

Monitor access and usage

We recommend you use your current tracking mechanisms to monitor, alert, and report the sign in and use of root user credentials, including alerts that announce root user sign-in and usage. The following services can help to ensure that root user credential usage is tracked and perform security checks that can help prevent unauthorized use.

Note

CloudTrail logs different sign-in events for the root user and privileged root user sessions. These privileged sessions allow tasks that require root user credentials to be performed in member accounts in your organization. You can use the sign-in event to identify the actions taken by the management account or a delegated administrator using sts:AssumeRoot. For more information, see Track privileged tasks in CloudTrail.

  • If you want to be notified about root user sign-in activity in your account, you can leverage Amazon CloudWatch to create an Events rule that detects when root user credentials are used and triggers a notification to your security administrator. For details, see Monitor and notify on AWS account root user activity.

  • If you want to set up notifications to alert you of approved root user actions, you can leverage Amazon EventBridge along with Amazon SNS to write an EventBridge rule to track root user usage for the specific action and notify you using an Amazon SNS topic. For an example, see Send a notification when an Amazon S3 object is created.

  • If you already using GuardDuty as your threat detection service, you can extend its capability to notify you when root user credentials are being used in your account.

Alerts should include, but not be limited to, the email address for the root user. Have procedures in place for how to respond to alerts so that personnel who receive a root user access alert understand how to validate that root user access is expected, and how to escalate if they believe that a security incident is in progress. For an example of how to configure alerts, see Monitor and notify on AWS account root user activity.

Evaluate root user MFA compliance

The following services can help evaluate MFA compliance for root user credentials.

MFA-related rules return noncompliant if you follow the best practice of removing root user credentials.

We recommend removing root user credentials from member accounts in your organization to help prevent unauthorized use. After you remove root user credentials, including MFA, these member accounts are evaluated as non-compliant.

  • AWS Config provides rules to monitor compliance with root user best practices. You can use AWS Config managed rules to help you enforce MFA for root user credentials. AWS Config can also identify access keys for the root user.

  • Security Hub provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices, such as having MFA on the root user and not having root user access keys. For details on the rules available, see AWS Identity and Access Management controls in the Security Hub User Guide.

  • Trusted Advisor provides a security check so you know if MFA isn't enabled on the root user account. For more information, see MFA on Root Account in the AWS Support User Guide.

If you need to report a security issue on your account, see Report Suspicious Emails or Vulnerability Reporting. Alternatively, you can Contact AWS for assistance and additional guidance.