Amazon Web Services account root user - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Web Services account root user

When you first create an Amazon Web Services (Amazon) account, you begin with a single sign-in identity that has complete access to all Amazon services and resources in the account. This identity is called the Amazon account root user and is accessed by signing in with the email address and password that you used to create the account.

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. As a best practice, safeguard your root user credentials and don't use them for everyday tasks. Root user credentials are only used to perform a few account and service management tasks.

To view the tasks that require you to sign in as the root user, see Tasks that require root user credentials.

Important

In the Beijing and Ningxia Regions, there is no concept of a root user. All users are IAM users, including the user who created the Amazon account.

You can create, rotate, disable, or delete access keys (access key IDs and secret access keys) for your Amazon Web Services account root user. You can also change your root user password. Anyone who has root user credentials for your Amazon Web Services account has unrestricted access to all the resources in your account, including billing information.

When you create access keys, you create the access key ID and secret access key as a set. During access key creation, Amazon gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one. You can create root user access keys with the IAM console, Amazon CLI, or Amazon API.

A newly created access key has the status of active, which means that you can use the access key for CLI and API calls. You are limited to two access keys for each IAM user, which is useful when you want to rotate the access keys. You can also assign up to two access keys to the root user. When you disable an access key, you can't use it for API calls. Inactive keys still count toward your limit. You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

You can change the email address and password on the Security Credentials page. You can also choose Forgot password? on the Amazon sign-in page to reset your password.

Create or delete an Amazon Web Services account

For more information, see the following articles in the Amazon Knowledge Center:

Enable MFA on the Amazon Web Services account root user

We recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available. We recommend that you enable multiple MFA devices to your Amazon Web Services account root user and IAM users in your Amazon Web Services accounts. This allows you to raise the security bar in your Amazon Web Services accounts, including your Amazon Web Services account root user. You can register up to eight MFA devices of any combination of the currently supported MFA types for your Amazon Web Services account root user and IAM users.

With multiple MFA devices, only one MFA device is needed to sign in to the Amazon Web Services Management Console or create a session using the Amazon CLI as that user. For more information, see How do I use an MFA token to authenticate access to my Amazon resources through the Amazon CLI?

For more information about enabling MFA, see the following:

Creating access keys for the root user

Although we don't recommend it, you can use the Amazon Web Services Management Console or Amazon programming tools to create access keys for the root user.

To create an access key for the Amazon Web Services account root user (console)
  1. Sign in to the IAM console as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    Note

    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the Amazon Web Services Management Console as the root user in the Amazon Sign-In User Guide.

  2. Choose your account name in the navigation bar, and then choose Security credentials.

  3. If you see a warning about accessing the security credentials for your Amazon Web Services account, choose Continue to Security credentials.

  4. Review the alternatives. We don't recommend that you create root user access keys. If you choose to continue to create an access key, select the check box to indicate that you understand that this is not a best practice, and then choose Create access key.

  5. On the Retrieve access key page, choose either Show or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, chose Done.

    If you choose Download .csv file, you receive a file named rootkey.csv that contains the access key ID and the secret key. Save the file somewhere safe.

  6. When you no longer use the access key we recommend that you delete it, or at least deactivate it by choosing Actions and then Deactivate so that it cannot be misused.

To create an access key for the root user (Amazon CLI or Amazon API)

Use one of the following:

Deleting access keys for the root user

You can use the Amazon Web Services Management Console to delete access keys for the root user.

  1. Use your Amazon account email address and password to sign in to the Amazon Web Services Management Console as the Amazon Web Services account root user.

    Note

    If you see three text boxes, then you previously signed in to the console with IAM user credentials. Your browser might remember this preference and open this account-specific sign-in page every time that you try to sign in. You cannot use the IAM user sign-in page to sign in as the account owner. If you see the IAM user sign-in page, choose Sign in using root user email near the bottom of the page. This returns you to the main sign-in page. From there, you can sign in as the root user using your Amazon account email address and password.

  2. Choose your account name in the navigation bar, and then choose Security credentials.

  3. If you see a warning about accessing the security credentials for your Amazon Web Services account, choose Continue to Security credentials.

  4. On the next screen, choose Deactivate. This deactivates the access key. We recommend that you verify that the access key is no longer in use before you permanently delete it. To confirm deletion, copy the access key ID, paste the access key ID in the text input field, and then choose Delete.

Changing the password for the root user

For information about changing the password for the root user, see Changing the Amazon Web Services account root user password. To change the root user, you must log in using the root user credentials. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the Amazon Account Management Reference Guide. .

Securing the credentials for the root user

For more information about securing the credentials for the Amazon Web Services account root user, see Safeguard your root user credentials and don't use them for everyday tasks.

Transferring the root user owner

To transfer ownership of the root user, see How do I transfer my Amazon Web Services account to another person or business?.