Menu
AWS Identity and Access Management
User Guide

The Account Root User

When you first create an Amazon Web Services account, you begin only with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the root user and is accessed by signing-in with the email address and password you used to create the account.

Important

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user and then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the account root user, see AWS Tasks that Require Account Root User. For a tutorial on how to set up the administrator user for daily use, see Creating Your First IAM Admin User and Group.

To manage your root user, follow the steps in the following procedures.

Creating Access Keys for the Root User

You can use the AWS Management Console or various programming tools to create access keys for the root user.

To create an access key for the root user (console)

  1. Sign in to the AWS Management Console with your root account credentials (not as an IAM user) and open the IAM console at https://console.aws.amazon.com/iam/. An IAM user page has three text boxes; you cannot sign in as a root user on that page. If you determine that you are on an IAM user sign-in page, first choose the Sign-in using root account credentials link below the boxes on that page.

  2. On the IAM Dashboard page, choose your account name in the navigation bar, and then choose Security Credentials.

  3. If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  4. Expand the Access Keys (Access Key ID and Secret Access Key) section.

  5. Choose Create New Access Key. A dialog warns you that you have only this one opportunity to view or download the secret access key. It cannot be retrieved later.

    • If you choose Show Access Key, you can copy the access key ID and secret key from your browser window and paste it somewhere else.

    • If you choose Download Key File, you receive a file named rootkey.csv that contains the access key ID and the secret key. Save the file somewhere safe.

  6. When you no longer need to use the access key we recommend that you delete it, or at least mark it inactive so that it cannot be misused if leaked.

To create an access key for the root user (programmatically)

Use one of the following commands:

Deleting Access Keys from the Root User

You can use the AWS Management Console or various programming tools to delete access keys for the root user.

To delete an access key from the root user (console)

  1. Sign in to the AWS Management Console with your root account credentials (not as an IAM user) and open the IAM console at https://console.aws.amazon.com/iam/. An IAM user sign-in page has three text boxes; you cannot sign in as a root user on that page. If you determine that you are on an IAM user sign-in page, first choose the Sign-in using root account credentials link below the boxes on that page.

  2. On the IAM Dashboard page, choose your account name in the navigation bar, and then choose Security Credentials.

  3. If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  4. Expand the Access Keys (Access Key ID and Secret Access Key) section.

  5. Find the access key that you want to delete, and then, under the Actions column, choose Delete.

    Note

    You can mark an access key as inactive instead of deleting it. This enables you to resume use of it in the future without having to change either the key ID or secret key. While it is inactive, any attempts to use it in requests to the AWS API fail with the status of access denied.

To delete an access key for the root user (programmatically)

Use one of the following commands:

Activate MFA on the Root User

Another security best practice is to always enable multi-factor authentication (MFA) on any user that can perform sensitive operations in your account. There are multiple types of MFA available. For more information about enabling MFA, see the following:

Changing the Root User's Password

For information about changing the root user's password, see Changing the AWS Account ("root") Password. To change the root user, you must log in using the root account credentials. To view the tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root User