Certified Security - Specialty

Sign Up Free or Log In to participate!

Multiple root accounts

For one AWS account can we have multiple root accounts? otherwise if an admin who uses a root account leaves, how can you login as a root?

2 Answers

You should consider following the AWS IAM best-practice to create individual IAM users [1] for account administrators.

I do not see any reason why an Administrator should use a root account. 

Create an IAM user and assign the AWS-managed policy "AdministratorAccess" [2].

Then, change the root account credentials and lock them away so that only few people in the organization (e.g. CTO) could ever theoretically access them.

AWS Organizations:

If you are using AWS Organizations, make sure that the "OrganizationAccountAccessRole" is created in each member account [3]. Then, deny access to all identities in the member account to modify or delete the role by using an SCP.

Alternative: Do not use the root account for organization members at all and provide a valid email address at account creation instead, so you could theoretically regain access to the member account anytime by resetting the passwort via email. [4]

References:

[1] https://docs.aws.amazon.com/en_en/IAM/latest/UserGuide/best-practices.html#create-iam-users[2] https://docs.aws.amazon.com/en_en/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator [3] https://docs.aws.amazon.com/en_en/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access-cross-account-role [4] https://docs.aws.amazon.com/en_en/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access

No, per AWS account you will only have a root login.

Login to AWS is always possible via http://console.aws.amazon.com/ . If you want to login as root on that page there will be a link ‘Sign-in using root account credentials’. Then you will get a screen to login with the e-mail address with which you registered.

As Martin mentions below root account usage is frowned upon generally a normal IAM user can be granted the permissions you need. Root account is best disabled or credentials securely stored and only to be used as an in case of emergency switch.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?