AWS account root user credentials and IAM identities - AWS General Reference

AWS account root user credentials and IAM identities

There are different types of users in AWS. All AWS users have security credentials. There is the account owner (root user), users in AWS IAM Identity Center (successor to AWS Single Sign-On), federated users, and IAM users. When you create an AWS account, we create the account root user. The first task you perform with the root user is to grant another user administrative permissions to your AWS account.

Root user credentials

The credentials of the account owner allow full access to all resources in the account. You can't use IAM policies to deny the root user access to resources explicitly. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create a user in IAM Identity Center with administrator permissions for everyday AWS tasks, and lock away the credentials for the root user.

There are specific tasks that are restricted to the AWS account root user. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the AWS Account Management Reference Guide. If you must perform a task that requires the root user, sign in to the AWS Management Console with the email address and password of the root user.

Considerations
  • Be sure to save the following in a secure location: the email address associated with your AWS account, the AWS account ID, the root user password, and your account access keys. If you forget or lose your root user password, you must have access to the email address associated with your account in order to reset it. If you lose your access keys, you must sign into your account to create new ones.

  • We strongly recommend that you do not use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform.

  • Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account.

  • Never share your AWS account root user password or access keys with anyone.

IAM identities

An user represents a human user or programmatic workload, and can be authenticated and then authorized to perform actions in AWS. Each IAM identity can be associated with one or more policies. Policies determine what actions a user, role, or member of a user group can perform, on which AWS resources, and under what conditions. Using IAM identities you can securely control access to AWS services and resources in your AWS account. For example, if you require administrator-level permissions, you can create either a user in IAM Identity Center, an IAM role, or an IAM user and then grant that identity the required permissions to interact with AWS using a policy. If you must modify or revoke administrative permissions, you can delete or modify the policies that are associated with that identity.

If you have multiple users who require access to your AWS account, you can create unique credentials for each user and define who has access to which resources. You don't need to share credentials. For example, you can create roles with read-only access to resources in your AWS account and assign users those roles to give them access when needed.

For more information, see IAM identities in the IAM User Guide.