AWS account root user

When you first create an Amazon Web Services (AWS) account, the email address and password you provide are the credentials for your root user, which has access to all AWS services and resources in the account.

• Use the root user only to perform the tasks that require root-level permissions. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

• Follow the root user best practices for your AWS account.

• If you're having trouble signing in see Sign in to the AWS Management Console.

For help with root user issues, see Troubleshoot issues with the root user.

The following topics detail management tasks associated with the root user.

Tasks

• Multi-factor authentication for AWS account root user
• Change the password for the AWS account root user
• Reset a lost or forgotten root user password
• Create access keys for the root user
• Delete access keys for the root user
• Tasks that require root user credentials
• Related information

Tasks that require root user credentials

We recommend that you configure an administrative user in AWS IAM Identity Center to perform daily tasks and access AWS resources. However, you can perform the tasks listed below only when you sign in as the root user of an account.

For help with root user issues, see Troubleshoot issues with the root user.

Account Management Tasks

• Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials.

• Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.

• Close your AWS account.

  For more information, see the following topics:

  • How do I assign ownership of my AWS account to another entity?.

  • How do I close my AWS account?.

  • Close a standalone AWS account.

Billing Tasks

• Activate IAM access to the Billing and Cost Management console.

• Some Billing tasks are limited to the root user. See Managing an AWS account in AWS Billing User Guide for more information.

• View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited (AISPL).

AWS GovCloud (US) Tasks

• Sign up for AWS GovCloud (US).

• Request AWS GovCloud (US) account root user access keys from AWS Support.

Amazon EC2 Task

• Register as a seller in the Reserved Instance Marketplace.

AWS KMS Task

• In the event that an AWS Key Management Service key becomes unmanageable, an administrator can recover it by contacting AWS Support; however, AWS Support responds to your root user's primary phone number for authorization by confirming the ticket OTP.

Amazon Mechanical Turk Task

• Link Your AWS account to your MTurk Requester account.

Amazon Simple Storage Service Tasks

• Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).

• Edit or delete an Amazon S3 bucket policy that denies all principals.

Amazon Simple Queue Service Task

• Edit or delete an Amazon SQS resource policy that denies all principals.

Related information

The following articles provide additional information about working with the root user.

• What are some best practices for securing my AWS account and its resources?

• How can I create an EventBridge event rule to notify me that my root user was used?

• Monitor and notify on AWS account root user activity

• Monitor IAM root user activity