This page is under regular updates. Please check back later for more content.
Security Identity & Compliance

AWS Root Account

  • Each AWS account is linked to a single root user and its associated credentials. The root account uses an email address as the username, which is provided during the account setup.
  • To log into the AWS console using the root account, a generic login URL is used (common across AWS).
  • There are ways to create customized identities and URLs for AWS account logins, which will be discussed later.

Root Account Email

  • The root user has full access to the entire AWS ecosystem. Certain unique tasks, such as billing, support plan changes, and restoring admin permissions, can only be performed by root account credentials.
  • AWS uses the root account email for various communications, such as:
    • Monthly billing summaries
    • Important AWS announcements
    • Security alerts regarding compromised resources

Recommendation: Use a distribution list (CORPORATE) for the root account email to ensure that multiple team members can access critical communications.

  • If signing up for AWS for personal use, it’s advisable to use an alias email rather than your personal one.
  • This alias can help manage multiple AWS accounts, which is necessary for testing certain features effectively.
  • If the initial guidance wasn’t followed, you can still modify root account properties like the email address.

Warning: If an account is closed, the email associated with it becomes permanently locked and cannot be reused.

Unique Tasks Performed by Root Account

Tasks exclusive to root account credentials include:

  • Changing account settings like contact information and email
  • Changing support plans
  • Activating access to billing and cost management
  • Restoring admin permissions for IAM users if permissions are accidentally removed.

Advanced Root Account Tasks

Other unique tasks include:

  • Configuring s3 bucket to delete with MFA (Multi-Factor Authentication)
  • Deleting S3 buckets or modifying bucket policies
  • Signing up for GovCloud
  • Closing the AWS account, which can only be done via root credentials.

The root account requires a username and password (set during signup).

API keys can be created for the root account, but it's highly recommended to disable and delete API keys to prevent security risks, as these credentials provide unrestricted access.

MFA configuration is also highly recommended to secure the root account.

Types of MFA Devices

Depending on the location of users, you can choose between a hardware token or a software token for MFA. A hardware token is recommended, but for geographically dispersed teams, a software token might be more practical.

Global AcceleratorIdentity and Access Management (IAM)