Securing the credentials for the root user - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Securing the credentials for the root user

Because the root user is a highly privileged account, take extra care to secure the root user credentials. Some recommended practices are:

Enable multi-factor authentication (MFA) on your root user

MFA enhances security by helping to prevent the misuse of your root user credential by accidental exposure of a password because both the password and the MFA token are required for authentication. When possible, use a hardware-based MFA device that does not rely on a battery to generate the one-time password (OTP) and enable at least two MFA devices so that you have a backup in case a device fails or is lost. Don't re-use a physical MFA device for any other purpose than protecting the root user credentials. Store the MFA device according to your information security policy, but not in the same place as the associated password for the root user.

Never share your root user password or access keys with anyone

Restrict the use of these credentials to trusted individuals to minimize the risk of password exposure. Rely on your organization's information security policy for managing long-term storage and access to the root user password.

Use a strong root user password to help protect access

Strong passwords are more difficult to guess or break using brute-force attacks. Have root user passwords follow password complexity guidelines.

Don't create access keys for the root user

Don't use highly privileged credentials for programmatic access. Credentials that are stored within applications are an easily exploited attack surface.

Document the processes for using the root user credentials

Make sure your organization has behavioral controls as well as software controls to help protect your credentials. Social engineering is the most common method malicious users exploit to gain access to resources.

Monitor and review root user activity

Whenever the root user password or its storage location are accessed the event should be logged and monitored to verify that your account root user are following best practices. When the root user credentials are used, Amazon CloudWatch Application Insights and Amazon CloudTrail record the activity in the log and trail.

Implement administrative practices that distribute use of root user credentials.

We recommend that the root user credentials be distributed to two administrative groups. One group that controls the access to the email address associated with the root user credentials and one group that has access to the MFA device used to secure the root user credentials. One member from each group must come together to sign-in using the root user credentials. This helps prevent a segregation of duties violation during a security compliance audit. This approach helps mitigate the risk of a single person easily accessing both the root user password and MFA device.