Security best practices for AWS account administrators

If you’re an account administrator who has created a new AWS account, we recommend the following steps to help your users follow AWS security best practices when they sign in.

Sign in as the root user to Enable multi-factor authentication (MFA) and create an AWS administrative user in IAM Identity Center if you haven't already done so. Then, safeguard your root credentials and don't use them for everyday tasks.
Sign in as the AWS account administrator and set up the following identities:
- Create least-privilege users for other humans.
- Set up temporary credentials for workloads.
- Create access keys only for use cases that require long-term credentials.
Add permissions to grant access to those identities. You can get started with AWS managed policies and move towards least-privilege permissions.
- Add permission sets to AWS IAM Identity Center (successor to AWS Single Sign-On) users.
- Add identity-based policies to IAM roles used for workloads.
- Add identity-based polices for IAM users for use cases that require long-term credentials.
- For more information about IAM users, see Security best practices in IAM.
Save and share information about How to sign in to AWS. This information varies, depending on the type of identity you created.
Keep your root user email address and primary account contact phone number up to date to ensure that you can receive important account and security-related notifications.
- Modify the account name email address, or password for the AWS account root user.
- Access or update the primary account contact.
Review Security best practices in IAM to learn about additional identity and access management best practices.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

About sign-in URLs

Region availability