AWS account root user credentials and IAM user credentials - AWS General Reference

AWS account root user credentials and IAM user credentials

There are different types of users in AWS. For example, there is the account owner (root user) and AWS Identity and Access Management (IAM) users. When you create an AWS account, we create the account root user. The root user or an IAM administrator for the account can create IAM users. All AWS users have security credentials.

Root user credentials

The credentials of the account owner allow full access to all resources in the account. You can't use IAM policies to deny the root user access to resources explicitly. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create an IAM user with administrator permissions for everyday AWS tasks, and lock away the credentials for the root user.

There are specific tasks that are restricted to the AWS account root user. For example, only the root user can close your account. If you must perform a task that requires the root user, sign in to the AWS Management Console with the email address and password of the root user. For more information, see Tasks that require root user credentials in the AWS Account Management Reference Guide.

Considerations

  • Be sure to save the following in a secure location: the email address associated with your AWS account, the AWS account ID, the root user password, and your account access keys. If you forget or lose your root user password, you must have access to the email address associated with your account in order to reset it. If you lose your access keys, you must sign into your account to create new ones.

  • We strongly recommend that you do not use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

  • Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account.

  • Never share your AWS account root user password or access keys with anyone.

IAM credentials

With IAM, you can securely control access to AWS services and resources for users in your AWS account. For example, if you require administrator-level permissions, you can create an IAM user, grant that user full access, and then use those credentials to interact with AWS. If you must modify or revoke your permissions, you can delete or modify the policies that are associated with that IAM user.

If you have multiple users who require access to your AWS account, you can create unique credentials for each user and define who has access to which resources. You don't need to share credentials. For example, you can create IAM users with read-only access to resources in your AWS account and distribute those credentials to users.

For more information, see IAM identities in the IAM User Guide.