It is AWS best practice to not use the root user. However, there are certain Tasks which requires root credentials.
🚨 Update - Root no longer required for the following tasks
Creation of a CloudFront key pair.
How to create a CloudFront key pair
AWS Command Line Interface:
aws cloudfront create-public-key \
--public-key-config file://pub-key-config.json
As we all know it is AWS best practice to not use the root user. However, there are certain Tasks which requires root credentials.
But why? The root user gives full access to all your resources for all AWS services, including your billing information. Moreover there is no way to reduce the permissions associated with your AWS account root user access key. Additionally it is required from compliance perspective to enable multi-factor with a Hardware MFA device for root.
So please remember:
🚨 If you do have an access key for your AWS root user, delete the access key.
🚨 Enable MFA for root user with a Hardware MFA device and lock it in a safe.
🚨 Create an IAM user for yourself that has administrative permissions and use the root user just for the following tasks.
Tasks that require root user
1. Change your account settings (account name, root user password, email address and enable MFA)
How to change your Account Name, Root User Password, and Root User Email Address
- Sign in to your AWS Account with root credentials.
- Open the Billing and Cost Management console.
- On the navigation bar, choose your Account and then then choose My Account.
- On the Account Settings page, choose Edit.
- Next to the field to update, choose Edit.
- Enter your changes and choose Save changes.
- Choose Done.
How to enable MFA for root user
- Sign in to your AWS Account with root credentials.
- Open the Billing and Cost Management console.
- On the navigation bar, choose your Account and then then choose My Security Credentials.
- Expand Multi-factor authentication (MFA)
- Click Activate MFA
- Follow the instructions in the Activate MFA box.
2. Change your AWS support plan
How to change your AWS support plan
- Sign in to your AWS Account with root credentials.
- Open the Billing and Cost Management console.
- On the navigation bar, choose your Account and then then choose My Account.
- Scroll to the Manage AWS Support Plans section.
- Click on the Click here to manage AWS Support plans button.
- Choose your new AWS Support Plan and click Change Plan.
3. Closing an AWS Account.
How to close your AWS Account
- Sign in to your AWS Account with root credentials.
- Open the Billing and Cost Management console.
- On the navigation bar, choose your Account and then then choose My Account.
- Scroll to the end of the page to the Close Account section.
- Select the check box to accept the terms and then choose Close Account.
- In the confirmation box, choose Close Account.
4. Submit a Reverse DNS for Amazon EC2 request.
How to submit a Reverse DNS for Amazon EC2 request.
- Sign in to your AWS Account with root credentials.
- Fillt out the Reverse DNS for Amazon EC2 request form.
5. Request removal of the port 25 email throttle on your EC2 instance.
How to request removal of the port 25 email throttle on your EC2 instance
- Sign in to your AWS Account with root credentials.
- Fillt out the Request to Remove Email Sending Limitations form.
6. Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.
How to enable MFA delete for an S3 bucket
Unfortunately it is currently not supported to enable MFA delete via Console. You need to use the following command to enable MFA delete for a bucket:
aws s3api put-bucket-versioning --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-mfa-serial-number mfa-code"
7. Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID.
How to edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID
- Sign in to your AWS Account with root credentials.
- Open the Amazon S3 Console.
- Select the bucket where you want to edit or delete the bucket policy.
- Choose the Permissons tab and select Bucket Policy.
- Edit the bucket policy and click Save or click Delete to delete the bucket policy.
8. Sign up for the GovCloud (US).
How to sign for the GovCloud
- Sign in to your AWS Account with root credentials.
- Open the Billing and Cost Management console.
- On the navigation bar, choose your Account and then then choose My Account.
- Scroll to the GovCloud (US) section.
- Click Sign up for AWS GovCloud (US).
Top comments (0)