Amazon Web Services
General Reference (Version 1.0)

AWS Account Root User Credentials vs. IAM User Credentials

All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. You cannot use policies within your account to explicitly deny access to the root user. You can only use an AWS Organizations service control policy (SCP) to limit permissions to an account, including the root user, that is a member of an organization or organizational unit (OU). Because of this, we recommend that you delete your root user access keys and then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS. For more information, see Lock away your AWS account (root) access keys in the IAM User Guide.


You may need AWS account root user access for specific tasks, such as changing an AWS support plan or closing your account. In these cases, sign in to the AWS Management Console with your email and password. See Email and Password (Root User).

For a list of tasks that require root user access, see AWS Tasks That Require AWS Account Root User Credentials.

With IAM, you can securely control access to AWS services and resources for users in your AWS account. For example, if you require administrator-level permissions, you can create an IAM user, grant that user full access, and then use those credentials to interact with AWS. If you need to modify or revoke your permissions, you can delete or modify the policies that are associated with that IAM user.

If you have multiple users that require access to your AWS account, you can create unique credentials for each user and define who has access to which resources. You don't need to share credentials. For example, you can create IAM users with read-only access to resources in your AWS account and distribute those credentials to your users.


Any activity or costs that are associated with the IAM user are billed to the AWS account owner.