What is AWS Root Account Risk?
The AWS root account has unrestricted access to everything. Learn the risks of root account misuse and how to lock it down per AWS best practice.
What is AWS Root Account Risk?
Definition
The AWS root account (also called the root user) is the original identity created when an AWS account is opened. It has unrestricted access to every service and resource in the account — and cannot be limited by IAM policies, SCPs, or permission boundaries.
AWS Root Account Risk refers to the security risks introduced when the root account is misused, weakly secured, or actively used for daily operations.
In simple terms:
Root is the master key. If it's stolen, the account is gone. If it's used daily, every action is one mistake away from catastrophe.
Why Root Risk Matters
- Root cannot be denied by SCPs or boundaries.
- Root can change account settings, billing, contact info, close the account, change the support plan, modify password recovery.
- Root credential compromise = total account loss.
- Root account compromises have shut down companies (e.g., CodeSpaces).
What the Root Account Can Do (That Nothing Else Can)
- Change account name, email, password, contact information.
- Change/cancel AWS support plan.
- Restore IAM user permissions.
- Close the AWS account.
- Change/disable account settings.
- Sign up for / cancel AWS Marketplace subscriptions.
- Delete the S3 bucket containing CloudTrail logs (if MFA Delete not enabled).
- Manage the AWS Organizations management account in some cases.
- Some IAM operations available only to root in specific scenarios.
Common Risks
1. Root Used for Daily Operations
Engineers logging in as root for "convenience." Every action carries unlimited authority.
2. Root Has Active Access Keys
Long-lived programmatic credentials with full power. Never create access keys for root unless absolutely necessary; rotate immediately if existing.
3. No / Weak MFA
Root with only password protection. Phishing/breach = compromise.
4. Recovery Email Compromised
Account recovery email belongs to a personal address or shared mailbox. Attacker compromises email → resets root password.
5. No Monitoring
Root sign-in events not detected; CloudTrail not centralized.
6. Phone-Based MFA Only
SMS-based MFA susceptible to SIM swap. Hardware key (FIDO2/U2F) preferred.
7. Root Account in Multi-Account Org Without Strategy
Each member account's root is its own risk surface.
8. Federation Replacement Forgotten
Modern best practice: don't use root for nearly anything; use Identity Center or federation. Old habits persist.
Real-World Examples
CodeSpaces (2014)
Attacker obtained AWS console credentials with full access (effectively root-equivalent), deleted the entire infrastructure including backups. Company shut down within days.
Multiple SMB Account Compromises
Reports of attackers using stolen root credentials to mine cryptocurrency, exfiltrate data, or wipe accounts. Lack of MFA the common factor.
Large Org Hygiene Audits
Organizations with hundreds of AWS accounts often discover legacy root accounts with no MFA, with active access keys created during initial setup, or with recovery emails belonging to former employees.
Best Practices
1. Lock Root Down
- Strong unique password (≥ 24 chars, password manager).
- Hardware MFA (FIDO2 / Yubikey) — prefer over phone.
- Recovery email = dedicated, monitored, controlled distribution list.
- Recovery phone = controlled number.
- Document all root credentials in a secure procedure.
2. Don't Use Root Daily
- Create privileged IAM admins or use Identity Center for daily admin work.
- Reserve root for the few tasks only it can do.
3. No Active Access Keys
- If root has access keys, delete them.
- Never create new ones.
4. SCP Awareness
- SCPs don't restrict root in member accounts (note: SCPs apply, but root can still circumvent some restrictions in management account scenarios). Treat root as outside policy enforcement.
5. Monitor
- Detect root sign-in events in CloudTrail.
- Alert on any root activity to security team.
- Centralize CloudTrail in dedicated logging account.
6. Centralize Account Management
- Use AWS Organizations.
- Consider AWS Account Factory (Control Tower) for consistent root hardening on new accounts.
7. Secure Storage
- Store root password and MFA recovery in physical safe with chain of custody.
- Document break-glass procedure.
8. Annual Review
- Verify root credentials, MFA, and recovery info annually.
- Test break-glass.
Checklist
- Strong root password in password manager?
- Hardware MFA on root?
- Recovery email is monitored shared mailbox / DL?
- Recovery phone is controlled corporate number?
- No active root access keys?
- Root sign-in monitored and alerted?
- CloudTrail centralized?
- Identity Center / federated SSO used for daily admin?
- Annual root credential and MFA review?
- Break-glass procedure documented and tested?
- New accounts hardened via Control Tower / standard process?
How Forestall Helps
Forestall checks every AWS account for root hygiene:
- Root MFA presence and type.
- Active root access keys.
- Recent root sign-in events.
- Recovery contact configuration.
- Risk-scoring across all accounts.
- Alerting on root activity anomalies.
Frequently Asked Questions
Can I delete the root account?
No — it's tied to the AWS account and can only be removed by closing the account.
Can SCPs restrict root?
In member accounts of an Organization, SCPs apply, but root has special powers (e.g., reverting account settings) outside SCP scope. Always treat root as the highest-risk identity.
Should I use SMS MFA on root?
No — use hardware FIDO2 keys; SMS is susceptible to SIM swap.
Can I federate root?
No — root is local to each account.
How often should I rotate root password?
When personnel changes occur, when MFA is replaced, or annually. Document the process.
Conclusion
The AWS root account is the most powerful — and therefore most dangerous — identity in any AWS account. Lock it down with hardware MFA, controlled recovery channels, no access keys, and minimal use; monitor it relentlessly; and use Identity Center / federation for everything else. Done well, root becomes a forgotten safety net rather than a daily attack surface.
Audit your root account hygiene across every AWS account.
Forestall flags root account misuse, missing MFA, active access keys, and unsafe recovery email.