Avoid using Root and audit it

It is recommended to avoid using the root user, and root account in multi-account scenarios, except in cases where it is strictly necessary.

The recommendation is to use a Centralized user repository such as AWS Directory Services (Active Directory / SimpleAD), Active Directory on EC2, Okta, PingIdentity, Azure Active Directory, OneLogin. If you don’t currently have a user repository, it’s preferable to use IAM users than using root until the directory is implemented, but keep in mind that IAM users are not a best practice, as they may not be removed when the employee is terminated, and the Access Keys associated to IAM users are durable credentials that you have to periodically rotate.

It is advisable to audit your root account usage via AWS CloudTrail and generate usage alerts with Amazon Simple Notification Service (SNS) notifications.

Additional details can be found in the documentation .

Additional Best Practices for root

  • Remove Access Keys (you should not enable access keys on root, as they are unrestricted - Not least privilege)
  • Limit use to administrative tasks (Tasks that require root user credentials )
    • User management - Emergency
    • Payment Options
    • Change Support Plan
    • Billing Information
    • Update Contact Information
  • In multi-account environments it is advisable not to use the root accounts of the children accounts and deny all root account actions using SCPs