AWS account root user credentials and IAM user credentials

There are two different types of users in AWS. You are either the account owner (root user) or you are an AWS Identity and Access Management (IAM) user. The root user is created when the AWS account is created and IAM users are created by the root user or an IAM administrator for the account. All AWS users have security credentials.

Root user credentials

The credentials of the account owner allow full access to all resources in the account. You cannot use IAM policies to explicitly deny the root user access to resources. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the access keys for the root user.

There are specific tasks that are restricted to the AWS account root user. For example, only the root user can close your account. If you need to perform a task that requires the root user, sign in to the AWS Management Console using the email address and password of the root user. For more information, see Tasks that require root user credentials.

IAM credentials

With IAM, you can securely control access to AWS services and resources for users in your AWS account. For example, if you require administrator-level permissions, you can create an IAM user, grant that user full access, and then use those credentials to interact with AWS. If you need to modify or revoke your permissions, you can delete or modify the policies that are associated with that IAM user.

If you have multiple users that require access to your AWS account, you can create unique credentials for each user and define who has access to which resources. You don't need to share credentials. For example, you can create IAM users with read-only access to resources in your AWS account and distribute those credentials to users.

Tasks that require root user credentials

We recommend that you use an IAM user with appropriate permissions to perform tasks and access AWS resources. However, you can perform the tasks listed below only when you sign in as the root user of an account.

Tasks

• Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and Regions, do not require root user credentials.

• Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.

• Activate IAM access to the Billing and Cost Management console.

• View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc or Amazon Internet Services Pvt. Ltd (AISPL).

• Close your AWS account.

• Change your AWS Support plan or Cancel your AWS Support plan. For more information, see IAM for AWS Support.

• Register as a seller in the Reserved Instance Marketplace.

• Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.

• Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID.

• Sign up for GovCloud.

Troubleshooting

If you cannot complete any of these tasks using your root user credentials, your account might be a member of an organization in AWS Organizations. If your organizational administrator used a service control policy (SCP) to limit the permissions of your account, your root user permissions might be affected. For more information, see Service control policies in the AWS Organizations User Guide.