How do we really lock down the AWS root account?
MFA is mandatory and ideally on a hardware key (YubiKey). After that, never log in as root except for the few actions that truly require it.
Try this first
- 1Bind two hardware MFA keys to root: a primary (vault) and a backup (separate location). Authenticator app alone is not enough for root.
- 2Remove access keys on the root account. If any exist, delete them, root shouldn't have them.
- 3Create a long, generated root password and store in a password manager with two custodians. Not in someone's personal vault.
- 4Enable billing alerts and CloudTrail on the root account. Any root action should fire to your security mailbox or Slack.
- 5Do a recovery test: can you still get into root if the hardware key is lost, using the second? Test quarterly before you really need it.
When to bring us in
If you suspect root is compromised: contact AWS Support and your security officer immediately. Don't poke around yourself, you'll trigger alarms you'll have to explain after.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.