AWS Root Account Management
An overview of AWS Root Account Management
π Introduction to AWS Root Account Management
When a new AWS account is created, it includes a Root user with full access to all AWS services and resources. If the Root user credentials are compromised, this poses a significant security risk. AWS Root Account Management mitigates this risk by restricting Root user access and allowing temporary elevation to Root permissions when necessary.
ποΈ Understanding AWS Root Account Management's Features
1. Prevent New Root Users
Once enabled, new Root users are not created in new AWS accounts. Additionally, you are no longer able to password reset the Root user (unless you leverage Privileged Actions).
2. Auditing Root User Credentials
We gain insights into:
Which AWS accounts have the Root user enabled
Whether the Root user has MFA enabled
Whether the Root user has a console password set
Whether the Root user has Signing Certificates enabled
3. Privileged Actions
Privileged actions allow us to assume the root user credentials for 15 minutes. Here are some of the actions we can perform:
Delete S3 bucket policy: Useful when you've misconfigured a bucket policy and locked yourself out. We can use the Root user to resolve this.
Delete SQS queue policy: Useful when you've misconfigured a queue policy and locked yourself out. We can use the Root user to resolve this.
Delete root user credentials: Removes the Root user's credentials from a member account.
π Additional Resources
ποΈ Hands-on Exercises
Lab: Deploying AWS Root Account Management via TerraformLast updated
Was this helpful?