AWS Root Account Management
An overview of AWS Root Account Management
PreviousLab: Deploying AWS Organizations via TerraformNextLab: Deploying AWS Root Account Management via Terraform
Last updated
Was this helpful?
An overview of AWS Root Account Management
Last updated
Was this helpful?
When a new AWS account is created, it includes a Root user with full access to all AWS services and resources. If the Root user credentials are compromised, this poses a significant security risk. AWS Root Account Management mitigates this risk by restricting Root user access and allowing temporary elevation to Root permissions when necessary.
Once enabled, new Root users are not created in new AWS accounts. Additionally, you are no longer able to password reset the Root user (unless you leverage ).
We gain insights into:
Which AWS accounts have the Root user enabled
Whether the Root user has MFA enabled
Whether the Root user has a console password set
Whether the Root user has Signing Certificates enabled
Privileged actions allow us to assume the root user credentials for 15 minutes. Here are some of the actions we can perform:
Delete S3 bucket policy: Useful when you've misconfigured a bucket policy and locked yourself out. We can use the Root user to resolve this.
Delete SQS queue policy: Useful when you've misconfigured a queue policy and locked yourself out. We can use the Root user to resolve this.
Delete root user credentials: Removes the Root user's credentials from a member account.
