The AWS root user is the first identity that has access to your AWS account. Amazon’s full documentation on IAM best practices for the root account is extensive. For more links to other AWS security best practices please see: SecFrame’s list of AWS links.The email address associated with this account is the recovery email address for the entire AWS account. It is the God account.
Best practices of AWS identity management has you make an AWS account and then complete series of tasks which add a high degree of security to your AWS account.
The steps outlined in the AWS IAM Best Practices:
The arn identifier for the account and root is:
arn:aws:iam::{ACCOUNT_ID}:root The root user is the account itself. When you sign into this ‘user’ you are performing functions as the account.
arn:aws:iam::{ACCOUNT_ID}:root
Source: AWS Reference Identifiers
Important: We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Source :Root User Guide
It’s important to note that there are items that only the root user can do: AWS Tasks that require root credentials. Source
See my Enable MFA post (with pictures!) for a guide on enabling MFA for any AWS account. By securing the root account with MFA you make sure that the person logging into the root account is actually approved to log in. There are support cases where people lose their root account and the attacker enables MFA on your account with the attacking user’s MFA device. The attacker implemented a security control before the actual owner of the account. The attacker beat the owner at a race to security.
Why enable MFA in a business environment if you are the only person who has access to the email?
The topic of where to store access keys comes up a lot in security forums. (For access to an AWS slack spaced, connect with me on Twitter or LinkedIn.) The consensus in the communities for the root user’s access key leans toward deleting it. By deleting the key, you will remove the exposure to your account.aws Remove the root user access key and remove the risk
Items to consider:
If you are wondering who else has access keys in your AWS account and AWS organization? Learn how to check for all user’s access keys with my post here : List All AWS Access Keys in an Organization
I forgot the root email address. Now what?
If you forget the root email address associated with your account but still have administrative access to the account, please note: there are no API calls available to find the email address associated with the root account. Unless…
How to find your account’s canonical user ID without the root user?
$buckets = get-s3bucket $region = 'us-east-1' $objects = $buckets| %{Get-S3Object -BucketName $_.bucketName -region $region} ($objects |select-object -property owner -unique).owner.id