Back to Remediation Guide

AWS root user best practices

Tips, tricks, and best practices for using (or not using) your AWS accounts root user.

If you have an AWS account, you have an AWS root user and the potential security issues that come along with it. The root user for your AWS account isn’t restricted by IAM roles or permissions. It has free reign to do anything and everything from accessing critical data, opening firewall ports for attacks on your servers, creating cross account access roles, anything… Someone who gets access to this user wouldn’t necessarily be destructive about it as well, they could easily just create further access to be used down the road when you decide to change the root password or add MFA.

Here are a list of best practices that will secure your account and prevent malicious use of possibly one of your companies single greatest points of failure.

Use MFA

If you take nothing else away form this article, know that you MUST use multi factor authentication on your AWS root account. I don’t even know why it’s optional from AWS’s perspective. If you don’t have it enabled, go right now and do so. Here’s the how to articles from AWS:

A hardware MFA device like a yubikey would be best, but if that’s not feasible use a virtual MFA device with 1password or an app on your phone with google authenticator for android or iOS.

Don’t use root access keys

If you need programmatic access to your account, you should be using IAM CLI keys for users during development, and IAM roles attached to instances/services in production. Having a root account access key laying around is a huge unneeded liability, as it again has full access to your account and can most likely bypass the MFA you just added above.

If you have root access keys enabled, delete them with these steps.

Use a strong password and a password manager

AWS lets you use up to a 128 character length for a root user password, so why not use all of it? You should be using a password manager like 1password in this day and age anyway, so max out the length with lowercase, uppercase, numbers, and symbols for the best security possible.

Don’t use it

A good way to protect yourself is to just not use the root user in the first place. Like internet explorers first and only task of installing a different browser, your root user should be used to create a new IAM admin user. See creating an admin user.

Make sure to give a user access to billing as well. Even if you give a user full admin permissions you need to enable access to billing separately. See this AWS article on delegating billing access.

Monitor usage

Now that you’ve delegated billing access, added MFA, and removed the need to log into the root user, you can now monitor access and alarm on root user login. At Reconfig, we have created a security automation tool to help monitor usage of your root account.