Show Keeping your Amazon account secure is a major concern for every AWS user and admin. Here are the top five AWS root user account best practices every organization should follow:
Let’s break these down one by one. Credentials for the AWS root account should be shared only with a select group of individuals on the IT team. Don’t share the AWS root account with the CEO, or with an auditor or compliance officer. Only as small number of individuals should know where the root credentials are stored. Create rules about how to access that credential, and what steps to follow when the root account password is updated. If you must assign elevated rights to a user temporarily, create a time-boxed role for that individual. But never share AWS root account credentials. Another AWS root account best practice is to delete any programmatic access keys associated with the root user. If a PEM file or DER certificate exists for the root account, that doubles the root account’s attack surface. Delete those keys immediately. In rare instances, an administrator might perform an administrative function as a root user. There are no reasons why a piece of software should programmatically log in as root with user’s access keys. By default, AWS accounts are only protected by a username and password. The best practice here is to enable MFA. With a password, you prove who you are with a piece of information that only you know. MFA ups the ante by requiring not only what you know but also what you have. In addition to a password the user must also provide a token or code, generated on a device that is not the device on which the user is attempting to log in as the AWS root. Many Gmail or Facebook users are familiar with using SMS messages with MFA. AWS is much stricter — an SMS message to a mobile device is not a valid MFA option. For AWS, the only valid MFA options are:
Securing access to the root AWS account is a crucial best practice. If your organization uses any of the devices listed above, include them in an MFA routine. There is no default password rotation for the AWS root account. Once the AWS root password is set, there are no rules that require regular password updates. However, admins can easily create a setup to regularly rotate passwords by updating the password policy attached to the account. A general AWS root user best practice is to set the password rotation period to at least 90 days. For even more security, set it to 60 days. For day-to-day administration of the AWS console, create an administrative group and add trusted users who need elevated rights. The root AWS account can never be deleted, and the rights associated with the root account cannot be revoked. Admins can, however, remove a user from the administrative group or suspend a user’s account altogether. Furthermore, with administrative access provisioned on a per-account basis, admins can monitor the actions of a specific user to identify any peculiar activity that warrant investigation. If the root account is shared by multiple users, there is no way to identify which user performed which administrative tasks. A core tenet of server-side security is to respect the principle of least privilege. An admin should assign to users only the minimal rights to perform their required tasks. Furthermore, don’t add users to the administrative group every time they perform a one-off administrative function — use AWS roles instead. Also, regularly monitor exactly who is included in your account’s administrative group. If a user moves on to a non-administrative role, do not allow that user to perform management functions in AWS. Follow these AWS root account best practices, and you’ll ensure that nefarious cyber-criminals never gain access to your cloud-computing credentials. There are different types of users in AWS. For example, there is the account owner (root user) and AWS Identity and Access Management (IAM) users. When you create an AWS account, we create the account root user. The root user or an IAM administrator for the account can create IAM users. All AWS users have security credentials. Root user credentialsThe credentials of the account owner allow full access to all resources in the account. You can't use IAM policies to deny the root user access to resources explicitly. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create an IAM user with administrator permissions for everyday AWS tasks, and lock away the credentials for the root user. There are specific tasks that are restricted to the AWS account root user. For example, only the root user can close your account. If you must perform a task that requires the root user, sign in to the AWS Management Console with the email address and password of the root user. For more information, see Tasks that require root user credentials in the AWS Account Management Reference Guide.
Considerations
IAM credentialsWith IAM, you can securely control access to AWS services and resources for users in your AWS account. For example, if you require administrator-level permissions, you can create an IAM user, grant that user full access, and then use those credentials to interact with AWS. If you must modify or revoke your permissions, you can delete or modify the policies that are associated with that IAM user. If you have multiple users who require access to your AWS account, you can create unique credentials for each user and define who has access to which resources. You don't need to share credentials. For example, you can create IAM users with read-only access to resources in your AWS account and distribute those credentials to users. For more information, see IAM identities in the IAM User Guide. When you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Anyone who has your access keys has the same level of access to your AWS resources that you do. Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well. The steps that follow can help you protect your access keys. For background information, see Creating and deleting access keys for the AWS account root user. Your organization may have different security requirements and policies than those described in this topic. The suggestions provided here are intended as general guidelines. Remove (or don't generate) an account access keyYou must use your access keys to sign requests that you make using the AWS Command Line Tools, the AWS SDKs, or direct API calls. Anyone who has the access keys for your AWS account root user has unrestricted access to all the resources in your account, including billing information. You can't restrict the permissions for your AWS account root user. One of the best ways to protect your account is to not have access keys for your AWS account root user. Unless you must have root user access keys (which is rare), it is best not to generate them. Instead, the recommended best practice is to create one or more AWS Identity and Access Management (IAM) users. Grant those IAM users the necessary permissions, and use them for everyday interaction with AWS. If you already have access keys for your account, we recommend the following: Find places in your applications where you are currently using access keys (if any), and replace the root user access keys with IAM user access keys. Then disable and remove the root user access keys. For more information about how to substitute one access key for another, see How to Rotate Access Keys for IAM Users on the AWS Security Blog. By default, AWS doesn't generate access keys for new accounts. For information about how to create an IAM user with administrative permissions, see Creating Your First IAM Admin User and Group in the IAM User Guide. Use temporary security credentials (IAM roles) instead of long-term access keysIn many scenarios, you don't need long-term access keys that never expire (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire. Long-term access keys, such as those associated with IAM users and AWS account root users, remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time. Use temporary security credentials to help reduce your risk in case credentials are accidentally exposed. Use an IAM role and temporary security credentials in these scenarios:
Manage IAM user access keys properlyIf you must create access keys for programmatic access to AWS, create them for IAM users, granting the users only the permissions they require. For more information, see Managing access keys for IAM users in the IAM User Guide. Are you using an Amazon EC2 instance with an application that requires programmatic access to AWS resources? If so, use IAM roles for EC2. Observe these precautions when using access keys:
Access the mobile app using AWS access keysYou can access a limited set of AWS services and features using the AWS mobile app. The mobile app helps you support incident response while on the go. For more information and to download the app, see AWS Console Mobile Application. You can sign in to the mobile app using your console password or your access keys. As a best practice, do not use root user access keys. Instead, we strongly recommend that in addition to using a password or biometric lock on your mobile device, you create an IAM user to manage AWS resources. If you lose your mobile device, you can remove the IAM user's access. For more information about generating access keys for an IAM user, see Managing access keys for IAM users in the IAM User Guide. To sign in using access keys (mobile app)
Learn moreFor more information about best practices for keeping your AWS account secure, see the following resources: |