Introducing the Root User

Natasha Ong
This is some text inside of a div block.
4 min read

What does 'root user' mean? Why should I care?

In AWS, a user is a person or a computer that can do things on the AWS cloud.

When you create an AWS account, the email address you sign up with becomes the root user of the AWS account. So when you log into your AWS Management Console using you email address and password, you are logging in as the root user.

This root user has unrestricted access to everything in your account in most cases. This root user can do whatever they want in the account. It has all of the powers that can be had.

And with great power comes great responsibility (or something like that).

On top of enabling multi-factor authentication for the root user (we show you what that means below), we strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. There are really only a few actions that require root user access.

In the exercise you do later, you will learn how to create an IAM user, and use that to log into your AWS account instead of using the root user.

What is an IAM user? How is it different from the root user?

IAM (Identity and Access Management) users are like sub-users or team members of the AWS account, and they have their own usernames and passwords.

  • Think of the root user as the master key in a hotel - it can open all the doors! IAM users are other keys with different levels of permissions - housekeeping's keys can unlocks guest rooms, the front desk team has their keys to unlock the front entrance, and the room service team can access all the kitchen areas. The permissions between different keys can definitely overlap.
  • In general, IAM users have limited permissions, meaning they can only do certain things as allowed by the AWS account's owner. The root user, on the other hand, is like the super boss of the AWS account with full control and access to everything.
  • Note: They're called IAM users because we create them using a specific AWS service called Identity and Access Management (IAM)! IAM is a key service that you'll be using heaps in the course.

Using IAM users (instead of your root user) is a great idea for your day to day exercises on AWS. The IAM user limits access and actions to only what's necessary, reducing the risk of accidents or security breaches.

What is MFA (multi-factor authentication)?

When you create an AWS account and first log in to the account, you use single-factor authentication. Single-factor authentication is the simplest and most common form of authentication. It only requires one authentication method. In this case, you use a user name and password to authenticate as the AWS root user. Other forms of single-factor authentication include a security pin or a security token.

However, sometimes a user’s password is easy to guess.

For example, your coworker Bob’s password, IloveCats222, might be easy for someone who knows Bob personally to guess, because it’s a combination of information that is easy to remember and includes certain facts about Bob (Bob loves cats, and his birthday is February 22).

If a bad actor guessed or cracked Bob’s password through social engineering, bots, or scripts, Bob might lose control of his account.

Unfortunately, this is a common scenario that users of any website often face. This is why using multi-factor authentication (MFA) is important in preventing unwanted account access.

MFA requires two or more authentication methods to verify an identity.

  1. Something you know - e.g. a user name and password or pin number.
  2. Something you have - e.g. a one-time passcode from a hardware device or mobile app.
  3. Something you are - e.g. a fingerprint or face scanning technology.

With a combination of this information, systems can provide a layered approach to account access. So even if the first method of authentication, like Bob’s password, is cracked by a malicious actor, the second method of authentication, such as a fingerprint, provides another level of security. This extra layer of security can help protect your most important accounts, which is why you should activate MFA on your AWS root user.

AWS root user best practices

The root user has complete access to all AWS services and resources in your account, including your billing and personal information.

You should securely lock away the credentials associated with the root user and not use the root user for everyday tasks.

To ensure the safety of the root user:

  • Choose a strong password for the root user.
  • Enable multi-factor authentication (MFA) for the root user.
  • Never share your root user password or access keys* with anyone.
*Access keys in AWS are like special codes made of an ID and a key that grant access to your AWS account, but we don't use them to log in! That's what passwords and MFA are for. Developers use access keys in their code to give their code the power to control their account. If someone else gets your root user access keys, they could use them in code to take over your AWS account, which can lead to security problems and unauthorised changes.
  • Disable or delete the access keys associated with the root user.
  • Create an Identity and Access Management (IAM) user for administrative tasks or everyday tasks.