7.1.5. Root User Credential Management
First Principle: The root user has unrestricted access to every resource in an account and cannot be limited by SCPs. Securing root credentials is therefore the single highest-priority credential management task in any AWS environment.
Centralized Root Access Management — expanded in C03:
- AWS Organizations supports centralized root access for member accounts
- Eliminates the need for individual root passwords on each member account
- Root access for member accounts can be managed through the management account
- Reduces the number of root credentials that need protection
Root User Security Best Practices:
| Control | Implementation |
|---|---|
| MFA on root | Hardware MFA device (recommended) or virtual MFA |
| No access keys | Delete all root access keys — use IAM roles instead |
| Email security | Dedicate a distribution list email for root (not personal email) |
| Break-glass procedures | Documented process for emergency root access with approval workflow |
| Monitoring | CloudWatch alarm on root login (ConsoleLogin where userIdentity.type = Root) |
Break-Glass Procedure Design:
- Root credentials stored in a hardware-encrypted safe or secrets vault (physical security)
- MFA device stored separately from credentials (dual-control)
- Access requires approval from 2+ authorized personnel
- All root usage is logged and reviewed within 24 hours
- Root password rotated after every use
⚠️ Exam Trap: Root user is exempt from SCPs. The only way to restrict root in member accounts is by not having root credentials (centralized root access) or by ensuring root MFA + monitoring. If a question asks about restricting root access, SCPs are NOT the answer.
Scenario: A security audit reveals that 50 member accounts each have independent root credentials, 12 of which lack MFA. You enable centralized root access management through Organizations, eliminating individual root passwords, and configure CloudWatch alarms for any root account activity.
Reflection Question: Why is the root user the one identity that organizational policies (SCPs) cannot restrict, and how does centralized root management mitigate this risk?
