How to secure the AWS root account

Topic: Accounts access

Lock down the AWS root account: enable MFA, remove access keys, create an IAM admin user for daily use, and apply a root-usage alert. Use this guide before using root for anything except account-level tasks and break-glass.

Intent: How-to

Quick answer

  • Sign in as root and enable MFA on the root user; never use root for daily operations.
  • Delete all root access keys and do not create new ones; use IAM users or IAM Identity Center instead.
  • Create an IAM user with admin permissions for day-to-day use and set up a CloudWatch alarm for root sign-in.

Steps

  1. Sign in as root and enable MFA

    Sign in to the root account at https://signin.aws.amazon.com/root. In IAM → Users → root → Security credentials, assign a hardware or virtual MFA device. Do not skip MFA for root.

  2. Remove all root access keys

    In the same Security credentials tab, under Access keys, delete every root access key. Root should have no long-lived credentials; use IAM users or roles for programmatic access.

  3. Create an IAM admin user for daily use

    Create an IAM user (e.g. admin), attach AdministratorAccess or a custom policy with least privilege, enable MFA for that user, and use this user (or IAM Identity Center) for all routine work.

  4. Set a root sign-in alarm

    In CloudWatch, create an alarm on the AWS/AccountMetric namespace for RootAccountUsage; alternatively use EventBridge to detect root sign-in and send an alert so you investigate any root use.

  5. Document break-glass procedure

    Document how to perform emergency root access (see break-glass guide); store credentials for root MFA and recovery in a secure, offline location known to designated responders.

Summary

You will secure the AWS root account by enabling MFA, removing all root access keys, creating an IAM admin user for daily use, and setting an alert for root sign-in. Use this guide when you first set up an AWS account or when auditing root security. Root should only be used for account-level tasks (e.g. changing support plan, closing the account) and emergency break-glass.

Prerequisites

  • Access to the AWS root account (email and password).
  • Ability to set up a virtual or hardware MFA device for the root user.
  • Permissions to create IAM users and CloudWatch alarms (you will use root once for this setup).

Steps

Step 1: Sign in as root and enable MFA

  1. Sign in at https://signin.aws.amazon.com/root with the root account email and password.
  2. Open IAMUsers → select rootSecurity credentials.
  3. Under Multi-factor authentication (MFA), click Assign MFA device. Choose a virtual MFA (e.g. authenticator app) or hardware MFA, then complete the enrollment. Root must have MFA enabled.

Step 2: Remove all root access keys

  1. On the same Security credentials tab, find Access keys.
  2. Delete every listed access key. Root must not have long-lived access keys; use IAM users or IAM roles for CLI and API access. If you see no keys, you are done.

Step 3: Create an IAM admin user for daily use

  1. In IAMUsersCreate user, create a user (e.g. admin) with console access and optionally programmatic access.
  2. Attach the managed policy AdministratorAccess (or a custom least-privilege policy) and set a strong password and MFA requirement.
  3. Use this IAM user (or IAM Identity Center) for all day-to-day work; do not sign in as root except for account-level or break-glass tasks.

Step 4: Set a root sign-in alarm

  1. In CloudWatchAlarms (or EventBridge), create a rule or alarm that fires when the root user signs in. Use AWS/AccountMetric with metric RootAccountUsage if available in your region, or an EventBridge rule for AWS sign-in events filtered for root.
  2. Send notifications to an SNS topic (email or Slack) so the team investigates any root usage immediately.

Step 5: Document break-glass procedure

Document who may use root, when (emergency only), and how (see the break-glass guide). Store root MFA seed or backup codes in a secure, offline location accessible to designated responders.

Verification

  • Root MFA: IAM → Users → root → Security credentials shows MFA assigned.
  • Root keys: No access keys listed for the root user.
  • IAM admin: You can sign in as the IAM admin user and perform normal operations without using root.
  • Alarm: CloudWatch or EventBridge has an alarm/rule for root sign-in and a test notification was received.

Troubleshooting

Cannot assign MFA to root — Ensure you are signed in as root (URL shows /root). Use a supported MFA app (e.g. Google Authenticator, Authy) or hardware device; re-sync if the code is rejected.

Root access key still in use somewhere — Before deleting, identify all uses (scripts, CI, legacy apps). Create IAM user keys or roles and migrate; then delete the root key. Rotate any exposed key immediately.

No CloudWatch RootAccountUsage in my region — Use EventBridge to capture aws.signin events and filter for userIdentity.type root; trigger SNS or Lambda to alert.

Lost root password — Use account recovery at https://signin.aws.amazon.com; you will need access to the root email and possibly support for identity verification.

Next steps

Continue to