{
	"id": "c3c7438f-63c3-42ac-be9f-65e285a6209c",
	"created_at": "2026-04-06T00:22:02.830281Z",
	"updated_at": "2026-04-10T13:12:11.776998Z",
	"deleted_at": null,
	"sha1_hash": "d238a71e297eec8168a13638b1bc504026b5f6ee",
	"title": "AWS account root user - AWS Identity and Access Management",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61281,
	"plain_text": "AWS account root user - AWS Identity and Access Management\r\nArchived: 2026-04-05 16:09:43 UTC\r\nWhen you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has\r\ncomplete access to all AWS services and resources in the account. This identity is called the AWS account root\r\nuser. The email address and password that you used to create your AWS account are the credentials you use to\r\nsign in as your root user.\r\nUse the root user only to perform the tasks that require root-level permissions. For the complete list of\r\ntasks that require you to sign in as the root user, see Tasks that require root user credentials.\r\nFollow the root user best practices for your AWS account.\r\nIf you're having trouble signing in, see Sign in to the AWS Management Console.\r\nImportant\r\nWe strongly recommend that you don't use the root user for your everyday tasks and that you follow the root user\r\nbest practices for your AWS account. Safeguard your root user credentials and use them to perform the tasks that\r\nonly the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks\r\nthat require root user credentials.\r\nWhile MFA is enforced for root users by default, it requires customer action to add MFA during the initial account\r\ncreation or as prompted during sign-in. For more information about using MFA to protect the root user, see Multi-factor authentication for AWS account root user.\r\nCentrally manage root access for member accounts\r\nTo help you manage credentials at scale, you can centrally secure access to root user credentials for member\r\naccounts in AWS Organizations. When you enable AWS Organizations, you combine all your AWS accounts into\r\nan organization for central management. Centralizing root access lets you remove root user credentials and\r\nperform the following privileged tasks on member accounts.\r\nRemove member account root user credentials\r\nAfter you centralize root access for member accounts, you can choose to delete root user credentials from\r\nmember accounts in your Organizations. You can remove the root user password, access keys, signing\r\ncertificates, and deactivate multi-factor authentication (MFA). New accounts you create in Organizations\r\nhave no root user credentials by default. Member accounts can't sign in to their root user or perform\r\npassword recovery for their root user unless account recovery is enabled.\r\nPerform privileged tasks that require root user credentials\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\r\nPage 1 of 3\n\nSome tasks can only be performed when you sign in as the root user of an account. Some of these Tasks\r\nthat require root user credentials can be performed by the management account or delegated administrator\r\nfor IAM. To learn more about taking privileged actions on member accounts, see Perform a privileged task.\r\nEnable account recovery of the root user\r\nIf you need to recover root user credentials for a member account, the Organizations management account\r\nor delegated administrator can perform the Allow password recovery privileged task. The person with\r\naccess to the root user email inbox for the member account can reset the root user password to recover root\r\nuser credentials. We recommend deleting root user credentials once you complete the task that requires\r\naccess to the root user.\r\nTasks that require root user credentials\r\nWe recommend that you configure an administrative user in AWS IAM Identity Center to perform daily tasks and\r\naccess AWS resources. However, you can perform the tasks listed below only when you sign in as the root user of\r\nan account.\r\nTo simplify managing privileged root user credentials across member accounts in AWS Organizations, you can\r\nenable centralized root access to help you centrally secure highly privileged access to your AWS accounts.\r\nCentrally manage root access for member accounts lets you centrally remove and prevent long-term root user\r\ncredential recovery, improving account security in your organization. After you enable this feature, you can\r\nperform the following privileged tasks on member accounts.\r\nRemove member account root user credentials to prevent account recovery of the root user. You can also\r\nallow password recovery to recover root user credentials for a member account.\r\nRemove a misconfigured bucket policy that denies all principals from accessing an Amazon S3 bucket.\r\nDelete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an\r\nAmazon SQS queue.\r\nAccount Management Tasks\r\nChange your AWS account settings. Standalone AWS accounts that are not part of AWS Organizations\r\nrequire root credentials to update the email address, root user password, and root user access keys. Other\r\naccount settings, such as account name, contact information, alternate contacts, payment currency\r\npreference, and AWS Regions, don't require root user credentials.\r\nNote\r\nAWS Organizations, with all features enabled, can be used to manage member account settings centrally\r\nfrom the management account and delegated admin accounts. Authorized IAM users or IAM roles in both\r\nthe management account and delegated admin accounts can close member accounts and update the root\r\nemail addresses, account names, contact information, alternate contacts, and AWS Regions of member\r\naccounts.\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\r\nPage 2 of 3\n\nClose your AWS account. Standalone AWS accounts that are not part of AWS Organizations require root\r\ncredentials to close the account. With AWS Organizations, you can close the member accounts centrally\r\nfrom the management account and delegated admin accounts.\r\nRestore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions,\r\nyou can sign in as the root user to edit policies and restore those permissions.\r\nBilling Tasks\r\nActivate IAM access to the Billing and Cost Management console.\r\nSome Billing tasks are limited to the root user. See Managing an AWS account in AWS Billing User Guide\r\nfor more information.\r\nView certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and\r\ndownload VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited\r\n(AISPL).\r\nAWS KMS Task\r\nIn the event that an AWS Key Management Service key becomes unmanageable, an administrator can\r\nrecover it by contacting Support; however, Support responds to your root user's primary phone number for\r\nauthorization by confirming the ticket OTP.\r\nAdditional resources\r\nFor more information about the AWS root user, see the following resources:\r\nFor help with root user issues, see Troubleshoot issues with the root user.\r\nTo centrally manage root user email addresses in AWS Organizations, see Updating the root user email\r\naddress for a member account in the AWS Organizations User Guide.\r\nThe following articles provide additional information about working with the root user.\r\nWhat are some best practices for securing my AWS account and its resources?\r\nHow can I create an EventBridge event rule to notify me that my root user was used?\r\nMonitor and notify on AWS account root user activity\r\nMonitor IAM root user activity\r\nSource: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
	],
	"report_names": [
		"id_root-user.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d238a71e297eec8168a13638b1bc504026b5f6ee.pdf",
		"text": "https://archive.orkl.eu/d238a71e297eec8168a13638b1bc504026b5f6ee.txt",
		"img": "https://archive.orkl.eu/d238a71e297eec8168a13638b1bc504026b5f6ee.jpg"
	}
}