AWS Account Administration

Main Ideas

  • There is only one root user and it has total access to the AWS account it is associated with.

  • The root user is identified with the email address and password used during AWS account sign up.

  • Don’t use the root user for general AWS administration.

  • Instead create users with IAM, each with varying permissions.

The Root User

When first creating an AWS account, one usually signs up with an email address and password. This creates a special user associated with that email address and password that has complete access to all AWS services and resources in the account. This identity is the AWS account root user.

IAM Administrator Users

Best practices for AWS account administration recommend creating at least one separate user with administrator privileges apart from the root user. This concept derives from a security best practice of the principle of least privilege.

A common confusion arises with how to sign in to and administer an AWS account. The two main mechanisms are using the root user or IAM.

AWS Sign In