Profile Applicability: Level 1
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account. The "root" account has unrestricted access to all resources in the AWS account.
The root account has full access to all resources in your AWS account. We strongly recommend that you do not use this account. The root account is the most privileged. Minimize the use of this account and apply the principles of minimal privileges to control access, reducing the risk of accidental changes and unintended disclosure of privileged credentials.
Since the root user has complete control over your AWS cloud infrastructure and resources, it is better to prevent this privileged user from getting into the wrong hands. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. It is highly recommended that the use of this account be minimized.
By default AWS allows you to use the root account but it’s not recommended to use it every time.
Sign in to the AWS Management Console.
Navigate to IAM servicet https://console.aws.amazon.com/iam/.
- Click on the Credential report in the left navigation pane
Click on the download report option given, which lists all your account's users and the status of their various credentials.
- From the report, check the user and passwoord_last_used columns to check when the root user is logged in.
- If you notice Root Account user is logging infrequently you need to reduce the use of it. To do that follow the implementation steps.
Using AWS CLI:
The following command will download the credential report
aws iam get-credential-report
Note: There are a few conditions under which the use of the root account is required, such as requesting a penetration test or creating a CloudFront private key, etc.
Instead of using a Root account frequently we can create an Admin user and use it. To create an Admin user follow the below steps.
Using AWS CLI:
The following command will create the user and attach the permission to the user
aws iam create-user --user-name MyUser aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name MyUser
If you want to revoke the changes you made do follow the steps in the Implementation section and from there you can delete a user or change the access policy.
- Security best practices in IAM - AWS Identity and Access Management
- AWS account root user - AWS Identity and Access Management
4.3 Ensure the Use of Dedicated Administrative Accounts
- Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities