Best practices to protect your account's root user - AWS Account Management
Limit the tasks you perform with the root userDon't create access keys for the root user

Best practices to protect your account's root user

The following are recommended best practices related to the root user of an AWS account.

Limit the tasks you perform with the root user

You should protect your root user credentials like you would your credit card numbers or any other sensitive secret and use them for only the tasks that require them. Here are some ways to protect your root user credentials:

  • Enable AWS multi-factor authentication (MFA) on your AWS account root user. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

  • Never share your AWS account root user password or access keys with anyone.

  • Use a strong password to help protect access to the AWS Management Console. For information about managing your AWS account root user password, see Changing the password for the root user.

We strongly recommend that you use the root user for only the following tasks:

  • Create an administrative user in AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) for daily tasks. For details about how to do this, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

  • Perform those tasks that can be performed by only the root user. For the complete list of these tasks, see Tasks that require root user credentials.

Don't create access keys for the root user

You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, we strongly recommend that you do not create an AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You can't reduce the permissions associated with your AWS account root user access key.

  • If you don't already have an access key for your AWS account root user, don't create one unless you absolutely need to. Instead, use the root user to create an administrative user in AWS IAM Identity Center (successor to AWS Single Sign-On) for daily administrative tasks.

  • If you do have an access key for your root user, delete it.

  • If you must keep one available, rotate (change) the access key regularly. To delete or rotate your root user access keys, use your root user to sign in to the My Security Credentials page in the AWS Management Console. You can manage your access keys in the Access keys section. For more information about rotating access keys, see Rotating access keys in the IAM User Guide.