Profile Applicability: Level 1
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account. The "root" account has unrestricted access to all resources in the AWS account.
Since the root user has complete control over your AWS cloud infrastructure and resources, it is better to prevent this privileged user from getting into the wrong hands. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. It is highly recommended that the use of this account be minimized.
By default AWS allows you to use the root account but it’s not recommended to use it every time.
aws iam get-credential-report
Note: There are a few conditions under which the use of the root account is required, such as requesting a penetration test or creating a CloudFront private key, etc.
Instead of using a Root account frequently we can create an Admin user and use it. To create an Admin user follow the below steps.
Click the Next button at the bottom and review all the details you filled and click on Create User
aws iam create-user --user-name MyUser aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name MyUser
If you want to revoke the changes you made do follow the steps in the Implementation section and from there you can delete a user or change the access policy.
- Security best practices in IAM - AWS Identity and Access Management
- AWS account root user - AWS Identity and Access Management
4.3 Ensure the Use of Dedicated Administrative Accounts
- Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities