How and when to use the root user account - AMS Accelerate Operations Plan

How and when to use the root user account

AWS Managed Services (AMS) Security and Operations provide robust security of customer accounts. The "root user" account is the superuser, or administrator, account within your AWS account, and its use is strongly discouraged and watched by AMS. However, there are some tasks that require root access including changing your account settings, activating AWS Identity and Access Management (IAM) access to billing and cost management, changing your root password, and enabling multi-factor authentication (MFA). Root should not be used otherwise. For more information on when to use the root user account, see Tasks that require root user credentials. For information about how MFA is configured, see Secure New Account with Multi-Factor Authentication

Note

MFA is created at onboarding to specifically disallow root access. Root access in AMS accounts is different from other AWS accounts, and is critical to the security of your entire AMS-managed environment. When MFA is configured, the token is immediately deleted, ensuring that neither you nor AMS retains the ability to log in as root. AMS expects such access to be used only when absolutely necessary.

When root access is required, the process varies slightly between AMS account types but always triggers an AMS Security and Operations team response. AMS monitors API calls for root access, and alarms are triggered if such access is detected.

Root with AMS Advanced single-account landing zone:

If you have a single-account landing zone, contact your cloud service deliver manager (CSDM) and cloud architects (CAs) to advise them of the root access work that you require. It is best to give twenty-four hours notice before the proposed activity.

Root with AMS Advanced multi-account landing zone:

For multi-account landing zone Application, Shared Services, Security, or Networking accounts, use the Management | Other | Other (ct-1e1xtak34nx76) change type. Include the date, time, and the purpose of using the root user credentials and schedule the RFC to be sure to give twenty-four hours notice before the proposed activity. Use your multi-account landing zone Management account to submit the RFC.

Additionally, contact your CSDM and CAs twenty-four hours in advance, to advise them of the root access work you require.

Root with AMS Accelerate:

As an AMS Accelerate account, AMS cannot prohibit you from using your root user account. However, AMS Operations and Security does treat its usage as an issue to investigate and we will reach out to your Security team with every use.

If you have an AMS Accelerate account, contact your CSDM and CAs twenty-four hours in advance, to advise them of the root access work you require.

To learn about AWS root user account usage, see AWS account root user.

AMS operations and security response to root usage:

The AMS Operations team receives an alarm when the root user account is used. If the root credentials usage is unscheduled, they contact the AMS Security team, and your account team, to verify if this is expected activity. If it is not expected activity, AMS works with your Security team.