Amazon Web Services account root user - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Web Services account root user

When you first create an Amazon Web Services (Amazon) account, the email address and password you provide are the credentials for your root user, which has access to all Amazon services and resources in the account.

Important

In the Beijing and Ningxia Regions, there is no concept of a root user. All users are IAM users, including the user who created the Amazon account.

When you first create an Amazon Web Services (Amazon) account, you begin with a single sign-in identity that has complete access to all Amazon services and resources in the account. This identity is called the Amazon account root user and is accessed by signing in with the email address and password that you used to create the account.

Important

We strongly recommend that you don't use the root user for your everyday tasks and that you follow the root user best practices for your Amazon Web Services account. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

Centrally manage root access for member accounts

To help you manage credentials at scale, you can centrally secure access to root user credentials for member accounts in Amazon Organizations. When you enable Amazon Organizations, you combine all your Amazon accounts into an organization for central management. Centralizing root access lets you remove root user credentials and perform the following privileged tasks on member accounts.

Remove member account root user credentials

After you centralize root access for member accounts, you can choose to delete root user credentials from member accounts in your Organizations. You can remove the root user password, access keys, signing certificates, and deactivate and delete multi-factor authentication (MFA). New accounts you create in Organizations have no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user unless account recovery is enabled.

Perform privileged tasks that require root user credentials

Some tasks can only be performed when you sign in as the root user of an account. Some of these Tasks that require root user credentials can be performed by the management account or delegated administrator for IAM. To learn more about taking privileged actions on member accounts, see Perform a privileged task.

Enable account recovery of the root user

If you need to recover root user credentials for a member account, the Organizations management account or delegated administrator can perform the Allow password recovery privileged task. The person with access to the root user email inbox for the member account can reset the root user password to recover root user credentials. We recommend deleting root user credentials once you complete the task that requires access to the root user.

Additional resources

For more information about the Amazon root user, see the following resources:

Tasks that require root user credentials

We recommend that you configure an administrative user in Amazon IAM Identity Center to perform daily tasks and access Amazon resources. However, you can perform the tasks listed below only when you sign in as the root user of an account.

To simplify managing privileged root user credentials across member accounts in Amazon Organizations, you can enable centralized root access to help you centrally secure highly privileged access to your Amazon Web Services accounts. Centrally manage root access for member accounts lets you centrally remove and prevent long-term root user credential recovery, improving account security in your organization. After you enable this feature, you can perform the following privileged tasks on member accounts.

  • Remove member account root user credentials to prevent account recovery of the root user. You can also allow password recovery to recover root user credentials for a member account.

  • Remove a misconfigured bucket policy that denies all principals from accessing an Amazon S3 bucket.

  • Delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.

Account Management Tasks
Billing Tasks
Amazon GovCloud (US) Tasks
Amazon EC2 Task
Amazon KMS Task
  • In the event that an Amazon Key Management Service key becomes unmanageable, an administrator can recover it by contacting Amazon Web Services Support; however, Amazon Web Services Support responds to your root user's primary phone number for authorization by confirming the ticket OTP.

Amazon Simple Storage Service Tasks
Amazon Simple Queue Service Task

The following articles provide additional information about working with the root user.