AWS — IAM Account Root User Overview

Introduction to IAM Account Root User in AWS

Image for post
AWS IAM
  • A root user is created during the AWS sign-up process
  • All AWS accounts have a root user (only one)
  • Has complete access to all AWS services and resources in the account
  • Permissions cannot be restricted by any means (except if Service Control Policy attached to your account)
  • Is accessed by signing in with the email address and password that you used to create the account
  • You do not use the root user for your everyday tasks, even the administrative ones
  • Securely lock away the root user credentials and use them to perform only a few account and service management tasks

When to use root user account

  • Modify root user details. This includes changing the root user’s password
  • Change your AWS support plan
  • Change your payment options
  • View your account billing information. View Billing tax invoices
  • Close an AWS account
  • Sign up for GovCloud
  • Find your AWS account canonical user ID in the console. You can view your canonical user ID from the AWS Management Console only while signed in as the AWS account root user. You can view your canonical user ID as an IAM user with the AWS API or AWS CLI
  • Restoring IAM user permissions. If an IAM user accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions
  • Change your account settings using the Billing and Cost Management console. You can view and edit your contact and alternate contact information, the currency that you pay your bills in, the Regions that you can create resources in, and your tax registration numbers
  • Submit a Reverse DNS for Amazon EC2 request
  • Create a CloudFront key pair
  • Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete
  • Editing or deleting an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID
  • Request removal of the port 25 email throttle on your EC2 instance
  • Change the Amazon EC2 setting for longer resource IDs. Changing this setting as the root user affects all users and roles in the account. Changing it as an IAM user or IAM role affects only that user or role

What can go wrong

  • Your account can get compromised
  • Intruder may expose all your data
  • Intruder may even delete all your data and resources
  • This can easily lead to lawsuits and heavy financial loss

Best Practices

  • Activate MFA on your root account
  • Disable/delete your root access keys
  • Rotate credentials
  • Do not share root user credentials
  • Create IAM user with administrative privileges
Category: Amazon Web Services (AWS), Cloud Computing