SEC01-BP02: Secure account root user and properties
Secure access to your accounts, for example by enabling MFA and restrict use of the root user, and configure account contacts.
Implementation guidance
The root user in your AWS account has complete access to all AWS services and resources in the account. Securing this user is critical to the overall security of your AWS environment. Additionally, securing account properties helps ensure that only authorized individuals can make changes to your account settings.
Key steps for implementing this best practice:
- Secure the root user credentials:
- Create a strong, complex password for the root user
- Enable multi-factor authentication (MFA) for the root user
- Store root user credentials securely using a password manager or physical safe
- Do not share root user credentials with anyone
- Do not create access keys for the root user
- Restrict use of the root user:
- Use the root user only for tasks that specifically require root user access
- Create administrative IAM users or roles for day-to-day administrative tasks
- Log out of the root user account immediately after completing required tasks
- Monitor root user activity using AWS CloudTrail
- Configure account contacts:
- Set up alternate contacts for billing, operations, and security
- Use distribution lists rather than individual email addresses
- Ensure contact information is up-to-date
- Implement a process to regularly review and update contact information
- Secure account recovery options:
- Ensure the email address associated with the root user is secure and accessible
- Verify that the phone number associated with the account is current
- Document the process for recovering root user access
- Test the recovery process periodically
- Ensure multiple team members understand the recovery process
- Implement additional account security measures:
- Enable AWS CloudTrail in all regions
- Configure CloudTrail logs to be immutable
- Set up alerts for root user activity
- Implement Service Control Policies (SCPs) in AWS Organizations to restrict root user actions
- Regularly review account security settings
Tasks that require root user credentials
Only a limited number of tasks require the use of root user credentials:
- Change your account name, email address, or root user password
- Change your AWS support plan
- Close your AWS account
- Register as a seller in the Reserved Instance Marketplace
- Configure an Amazon S3 bucket to enable MFA Delete
- Sign up for AWS GovCloud
- Request removal of the credit card limitation on your account
- Restore IAM user permissions if the only IAM administrator accidentally revokes their own permissions
For all other administrative tasks, create IAM users or roles with appropriate permissions.
Implementation examples
Example 1: Securing the root user
CODE SNIPPET WILL BE PROVIDED SOON –>
Example 2: Setting up CloudTrail to monitor root user activity
CODE SNIPPET WILL BE PROVIDED SOON –>
Example 3: Setting up alerts for root user activity
CODE SNIPPET WILL BE PROVIDED SOON –>
AWS services to consider
Benefits of securing the root user and account properties
- Reduced risk of unauthorized access: Protecting the root user prevents attackers from gaining full control of your AWS account
- Improved security posture: Following security best practices for the root user strengthens your overall security posture
- Simplified account recovery: Properly configured account contacts make it easier to recover access if needed
- Enhanced accountability: Using IAM users instead of the root user provides better audit trails and accountability
- Compliance support: Many compliance frameworks require securing privileged accounts like the root user