Best practices to protect your account's root user - AWS Account Management

Best practices to protect your account's root user

The following are recommended best practices related to the root user of an AWS account.

Limit the tasks you perform with the root user

We strongly recommend that you use the root user only for two things:

Lock away your AWS account root user access keys

You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, we strongly recommend that you do not use your AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You can't reduce the permissions associated with your AWS account root user access key.

You should protect your root user credentials like you would your credit card numbers or any other sensitive secret. Here are some ways to do that:

  • Access keys

    • If you don't already have an access key for your AWS account root user, don't create one unless you absolutely need to. Instead, use the root user to create an IAM user for yourself that has administrative permissions.

    • If you do have an access key for your root user, delete it.

    • If you must keep one available, rotate (change) the access key regularly. To delete or rotate your root user access keys, use your root user to sign in to the My Security Credentials page in the AWS Management Console. You can manage your access keys in the Access keys section. For more information about rotating access keys, see Rotating access keys in the IAM User Guide.

  • Never share your AWS account root user password or access keys with anyone.

  • Use a strong password to help protect access to the AWS Management Console. For information about managing your AWS account root user password, see Changing the password for the root user.

  • Enable AWS multi-factor authentication (MFA) on your AWS account root user account. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.