# AWS Root Account Management

## 📖 Introduction to AWS Root Account Management

When a new AWS account is created, it includes a Root user with full access to all AWS services and resources. If the Root user credentials are compromised, this poses a significant security risk. AWS Root Account Management mitigates this risk by restricting Root user access and allowing temporary elevation to Root permissions when necessary.

***

## 🗒️ Understanding AWS Root Account Management's Features

### 1. Prevent New Root Users

Once enabled, new Root users are not created in new AWS accounts. Additionally, you are no longer able to password reset the Root user (unless you leverage [Privileged Actions](broken://spaces/nifta9NF2S4YdshFXhOF)).&#x20;

<figure><img src="/files/pMteP1z1EM46wJ5o2gP0" alt=""><figcaption><p>Failed password recovery for root user</p></figcaption></figure>

### 2. Auditing Root User Credentials

We gain insights into:

* Which AWS accounts have the Root user enabled
* Whether the Root user has MFA enabled
* Whether the Root user has a console password set
* Whether the Root user has Signing Certificates enabled

<figure><img src="/files/ocsp4y4z2vwZaZvPVNpy" alt=""><figcaption><p>Root access management console</p></figcaption></figure>

### 3. Privileged Actions

Privileged actions allow us to assume the root user credentials for 15 minutes. Here are some of the actions we can perform:

* **Delete S3 bucket policy**: Useful when you've misconfigured a bucket policy and locked yourself out. We can use the Root user to resolve this.
* **Delete SQS queue policy**: Useful when you've misconfigured a queue policy and locked yourself out. We can use the Root user to resolve this.
* **Delete root user credentials**: Removes the Root user's credentials from a member account.

<figure><img src="/files/dORK01RaKSFRrYAU8c6U" alt=""><figcaption><p>Privileged actions as the root user</p></figcaption></figure>

***

## 📚 Additional Resources

* [AWS Root Account Management Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html)

***

## 🏗️ Hands-on Exercises&#x20;

{% content-ref url="/pages/xPcMwwIzB2MotblmUV3z" %}
[Lab: Deploying AWS Root Account Management via Terraform](/academy/aws-security-cookbook-by-tyler/aws-root-account-management/lab-deploying-aws-root-account-management-via-terraform.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/academy/aws-security-cookbook-by-tyler/aws-root-account-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.