Introduction to IAM Account Root User in AWS
- A root user is created during the AWS sign-up process
- All AWS accounts have a root user (only one)
- Has complete access to all AWS services and resources in the account
- Permissions cannot be restricted by any means (except if Service Control Policy attached to your account)
- Is accessed by signing in with the email address and password that you used to create the account
- You do not use the root user for your everyday tasks, even the administrative ones
- Securely lock away the root user credentials and use them to perform only a few account and service management tasks
When to use root user account
- Modify root user details. This includes changing the root user’s password
- Change your AWS support plan
- Change your payment options
- View your account billing information. View Billing tax invoices
- Close an AWS account
- Sign up for GovCloud
- Find your AWS account canonical user ID in the console. You can view your canonical user ID from the AWS Management Console only while signed in as the AWS account root user. You can view your canonical user ID as an IAM user with the AWS API or AWS CLI
- Restoring IAM user permissions. If an IAM user accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions
- Change your account settings using the Billing and Cost Management console. You can view and edit your contact and alternate contact information, the currency that you pay your bills in, the Regions that you can create resources in, and your tax registration numbers
- Submit a Reverse DNS for Amazon EC2 request
- Create a CloudFront key pair
- Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete
- Editing or deleting an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID
- Request removal of the port 25 email throttle on your EC2 instance
- Change the Amazon EC2 setting for longer resource IDs. Changing this setting as the root user affects all users and roles in the account. Changing it as an IAM user or IAM role affects only that user or role
What can go wrong
- Your account can get compromised
- Intruder may expose all your data
- Intruder may even delete all your data and resources
- This can easily lead to lawsuits and heavy financial loss
Best Practices
- Activate MFA on your root account
- Disable/delete your root access keys
- Rotate credentials
- Do not share root user credentials
- Create IAM user with administrative privileges
Got a project that needs expert IT support?
From Linux and Microsoft Server to VMware, networking, and more, our team at CR Tech is here to help.
Get personalized support today and ensure your systems are running at peak performance or make sure that your project turns out to be a successful one!
CONTACT US NOW