Profile Applicability:
Level 1

Description:
This control ensures that the use of the AWS root account is avoided for everyday administrative or operational tasks. The root account has unrestricted access to all AWS resources and settings, and its misuse can lead to severe security, compliance, and operational risks. Instead, IAM users and roles with the principle of least privilege should be used to perform all administrative and programmatic activities.

Rationale:
The AWS root account has full, non-restrictable privileges across all AWS services, including the ability to close accounts, delete resources, and modify billing settings. Using it for routine operations increases the risk of accidental or malicious changes and makes it difficult to maintain accountability. Avoiding root account usage enhances traceability, reduces exposure, and aligns with security best practices and compliance frameworks like CIS, ISO 27001, SOC 2, and NIST 800-53.

Impact:
Positive Impact: Improves security posture by reducing the likelihood of unauthorized changes or accidental deletions, and promotes accountability through individual IAM user activity logging.
Negative Impact: Some infrequent administrative tasks that require root credentials (such as account-level configurations) may take slightly longer to execute when limited to designated occasions.

Default Value:
AWS root accounts are created with full privileges by default. AWS does not restrict their use unless the organization enforces access controls or internal policies.

Pre-Requisite:

  • Root account credentials must be securely stored and only accessed for account-level actions.

  • IAM users and roles with appropriate privileges must be configured to replace root usage for daily tasks.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console as an IAM administrator.

  2. Navigate to CloudTrail → Event history.

  3. Filter events by “Event source = signin.amazonaws.com” and “User name = root.”

  4. Review the event history to determine if the root account has been used recently.

  5. If there are root account sign-in or activity events for routine operations, the account is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Create an administrative IAM user or role with full administrative privileges (e.g., using the AWS managed policy AdministratorAccess).

  2. Ensure MFA is enabled for the root account and store its credentials securely offline.

  3. Review and update any scripts, automation, or processes using root credentials to use IAM users or roles instead.

  4. Regularly monitor AWS CloudTrail logs for any root account usage.

  5. Configure an Amazon CloudWatch alarm or AWS Config rule to alert when root account activity is detected.

  6. Use AWS Organizations and Service Control Policies (SCPs) to further restrict root-level operations where possible.

Backout Plan:

  1. If the root account must be used temporarily (for example, for billing changes or support requests), document the purpose, time, and person responsible.

  2. After completing the task, sign out immediately, and continue using IAM roles for all subsequent operations.

  3. Reassess policies and re-implement alerts to detect any future root usage.

References: