Everyone logs in with the AWS root account
Root is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
Try this first
- 1Add hardware MFA to root and store the key physically
- 2Remove root access keys, no legit use case
- 3Create an IAM user or better an Identity Center account per person
- 4Document where root password and MFA device live, two people know
When to bring us in
If the root password is lost, AWS support can help via account verification. Plan multiple days.
See also
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
- Not all IAM users have MFAWithout MFA, a leaked password equals account takeover. Force it via policy.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.