AWS Root Account Management

📖 Introduction to AWS Root Account Management

When a new AWS account is created, it includes a Root user with full access to all AWS services and resources. If the Root user credentials are compromised, this poses a significant security risk. AWS Root Account Management mitigates this risk by restricting Root user access and allowing temporary elevation to Root permissions when necessary.

🗒️ Understanding AWS Root Account Management's Features

1. Prevent New Root Users

Once enabled, new Root users are not created in new AWS accounts. Additionally, you are no longer able to password reset the Root user (unless you leverage Privileged Actions).

2. Auditing Root User Credentials

We gain insights into:

• Which AWS accounts have the Root user enabled

• Whether the Root user has MFA enabled

• Whether the Root user has a console password set

• Whether the Root user has Signing Certificates enabled

3. Privileged Actions

Privileged actions allow us to assume the root user credentials for 15 minutes. Here are some of the actions we can perform:

• Delete S3 bucket policy: Useful when you've misconfigured a bucket policy and locked yourself out. We can use the Root user to resolve this.

• Delete SQS queue policy: Useful when you've misconfigured a queue policy and locked yourself out. We can use the Root user to resolve this.

• Delete root user credentials: Removes the Root user's credentials from a member account.

📚 Additional Resources

• AWS Root Account Management Documentation

🏗️ Hands-on Exercises