Securing the Root Account

When you create an AWS account, the email address you sign up with becomes the root user — the original, all-powerful owner of the account. The root user can do literally everything, including a handful of things nothing else on the account can do. Because it is so powerful, a compromised root user can mean a destroyed or hijacked account. This page shows you exactly how to lock the root user down and then walk away from it for daily work.

Why the root user is dangerous

The root user is identified by your account’s email address (not a username). It has unrestricted access to every service and every billing setting, and AWS Identity and Access Management (IAM) policies cannot restrict it. IAM is the AWS service that controls who can do what. You can attach a “deny everything” policy to an IAM user and it will be blocked, but the root user ignores all of that — it is above the rules.

That power is also why the root user is the single most valuable target for an attacker. If someone gets your root password (and you have no extra protection), they own your account: they can spin up expensive resources, steal data, or lock you out entirely.

Tasks only the root user can perform

A few account-level actions are reserved for the root user. This is the reason you lock it away rather than delete it — you will occasionally need it.

Task	Root only?	Notes
Change the account email or root password	Yes	Done from Account settings
Change or cancel the AWS Support plan	Yes	See Support Plans
Close the AWS account	Yes	Permanent account deletion
Restore IAM user permissions after a lockout	Yes	Recovery from a bad policy
Change account name and tax/billing settings	Yes	Some billing actions
Register as a seller in AWS Marketplace	Yes	Reserved Instance Marketplace
Everyday work (EC2, S3, IAM, etc.)	No	Use an IAM user/role instead

Gotcha: Do not try to “remove” the root user. It cannot be deleted, and you genuinely need it for the tasks above. The goal is to secure it and never use it for routine work.

Step 1 — Enable MFA on the root user

Multi-Factor Authentication (MFA) means signing in requires both your password and a one-time code from a device you physically hold. Even if your password leaks, an attacker still cannot get in. This is the single highest-impact thing you can do.

When to use this: Always. Enable MFA on the root user before you do anything else.

Console steps:

1. Sign in to the AWS Management Console as the root user.
2. In the top-right, click your account name and choose Security credentials.
3. Under Multi-factor authentication (MFA), click Assign MFA device.
4. Pick a device type — Authenticator app (like Google Authenticator or Authy), a passkey/security key (e.g. a YubiKey), or a hardware TOTP token.
5. Scan the QR code with your authenticator app, then enter two consecutive codes to confirm.

Tip: AWS now supports assigning multiple MFA devices (up to eight) to the root user. Add a backup device or passkey so a lost phone does not lock you out.

There is no CLI command to enable root MFA — it is a console-only, deliberately friction-heavy action. But you can verify MFA exists from the CLI (see below).

Step 2 — Delete root access keys

Access keys are long-lived credentials (an access key ID and a secret) used by the AWS Command Line Interface (CLI) and SDKs to call AWS programmatically. Root access keys are extremely dangerous because they grant unrestricted programmatic access with no way to scope them down.

When to use root access keys: Never. AWS recommends that the root user have zero access keys. Do all programmatic work with IAM users or roles instead.

Console steps:

1. As the root user, go to Security credentials (same menu as above).
2. Scroll to Access keys.
3. If any keys exist, click Actions → Delete for each one.

Check from the CLI whether root keys exist using the account summary:

aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'

Output:

0

A value of 0 means the root user has no access keys — exactly what you want. A 1 means a root access key still exists and should be deleted in the console.

You can pull the full security posture in one call:

aws iam get-account-summary --query 'SummaryMap.{RootMFA:AccountMFAEnabled,RootKeys:AccountAccessKeysPresent,Users:Users,MFADevices:MFADevices}'

Output:

{
    "RootMFA": 1,
    "RootKeys": 0,
    "Users": 3,
    "MFADevices": 4
}

Here RootMFA: 1 confirms root MFA is on and RootKeys: 0 confirms no root keys exist.

Step 3 — Create an admin IAM user or role for daily use

Now that root is locked down, you need a normal identity for everyday work. The modern best practice is to create an administrator identity in IAM Identity Center (AWS’s recommended single sign-on service), but a simple IAM user with admin rights is perfectly fine for a personal or learning account.

Console steps (IAM admin user):

1. Open the IAM console (search “IAM” in the top search bar).
2. Go to Users → Create user, name it e.g. admin-jane.
3. Tick Provide user access to the AWS Management Console and set a password.
4. On Set permissions, choose Attach policies directly and select the AWS-managed AdministratorAccess policy.
5. Create the user, then sign in once via the account-specific sign-in URL to confirm it works.
6. Enable MFA on this IAM user too, then sign out of root.

CLI equivalent:

aws iam create-user --user-name admin-jane
aws iam attach-user-policy \
  --user-name admin-jane \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Output:

{
    "User": {
        "Path": "/",
        "UserName": "admin-jane",
        "UserId": "AIDA0A1B2C3D4E5F6G7H8",
        "Arn": "arn:aws:iam::123456789012:user/admin-jane",
        "CreateDate": "2026-06-15T10:42:00+00:00"
    }
}

Cost note: IAM, IAM Identity Center, MFA, and access-key management are all free — there is no charge for users, groups, roles, or policies. The only cost risk is an unsecured root account, which can rack up thousands of dollars if an attacker gets in.

Best practices

• Enable MFA on the root user first, and add a backup device so a lost phone never locks you out.
• Keep zero root access keys — verify with AccountAccessKeysPresent returning 0.
• Never use root for daily work. Create an admin IAM user (or IAM Identity Center user) and use it instead.
• Store the root password in a password manager, separate from your everyday credentials, and use a long unique password.
• Set up account-level alerts (AWS Budgets and a billing alarm) so unexpected charges surface fast.
• Lock it away, don’t delete it — you still need root for closing the account, changing support plans, and recovery.
• Periodically re-check aws iam get-account-summary to confirm root MFA is on and no root keys have crept back in.

Related Topics

• Create an AWS account
• AWS console tour
• Shared responsibility model
• Install the AWS CLI
• Support plans