Open in app

Sign in

Write

Sign in

Securing the AWS root user

Adam Mendlik
Paragon Tech
Published in
5 min readJan 22, 2024
Photo by FlyD on Unsplash

In this article, we will look at the considerations for securing the root user of an AWS account.

Terminology

  • Account — AWS uses the word “account” exclusively to mean the container within which all your cloud resources exist. This is not to be confused with a “user”.
  • User —a security principle with the ability to authenticate the person or application invoking it. This is not to be confused with the human on the other end of the keyboard.
  • Root User — a special security principle within an AWS account with full administrative privileges. Each AWS account has exactly one root user.
  • Mailbox — a location where mail is delivered to. This is distinct from an email address in the sense that a single mailbox can have multiple email addresses associated with it.
  • Shared Mailbox — a mailbox that is not associated with a single individual, but can be accessed by one or more people.

Choosing the right email address

The first thing a lot of people get wrong when setting up their first AWS account is the email address associated with the root user. This can always be changed later, but there are two reasons why it’s important to choose the right email address.

  1. Every AWS account must have a unique email address for its root user. Beginners usually bump into this when they go to create their second account and discover that their personal email address is already assigned the first account they created. Plan ahead and assume you will have more than one account.
  2. The mailbox associated with the root user is used to reset the root password. Unless an MFA device is attached to the root user, access to the mailbox is all that is needed is to reset the password using the “I forgot my password” process. This is one of the best reasons to enable MFA for your root user.

Recommendations

Here are our recommendations for managing the AWS account root user email and hardware token. If you are not sure why or how to use a hardware token with your root user, please check out this other article: Using MFA for your AWS root user.

Do not use the root user

Once the account is set up and a few administrative users are created, there are very few reasons to ever use the root user again. The list of tasks that require root user credentials is pretty short, and most of them you will never do, or do once at account creation time.

The main reason not to use the root user is that it is not associated with an individual. Actions performed by the root user are therefore not attributable to a specific person.

Use a shared mailbox

The email address should never be tied to an individual. This email address needs to be associated with a role and only indirectly assigned to one or more individuals. As explained in the sections that follow, a single shared mailbox is sufficient for all your AWS accounts.

Forget your root password

Set your root password to a 20-character randomly-generated password. If you already have a secure password sharing vault, go ahead and use it. If not, the effort it takes to save this in a secure way and shared it with the right people is not worth it. You will almost never use the root password and, if you ever actually need it, it is easy to reset using the “I forgot my password” process. If you follow these recommendations, you can just discard the password.

This reveals an important detail: having access to the root user mailbox is as powerful as knowing the password.

When you set your password for the first time on your root users, be sure to also enable your hardware token for authentication at that time - before you throw away that password.

Use subaddressing to create unique email addresses

Subaddressing (also called “plus addressing”) is a technique defined by RFC5233 and is supported by most popular email systems. It allows you to include an arbitrary detail in a destination email address, in addition to the user and domain parts of the address. For example, if Bob has an email address bob@example.com, subaddressing allows you to send email to bob+security@example or bob+spam@example.com. Email sent to either of those addresses will end up in Bob’s mailbox.

Rather than setting up a shared mailbox for each AWS account, just use one (awsroot@example.com, for example) and use subaddressing to assign unique emails to each account.

  • awsroot+management@example.com
  • awsroot+audit@example.com
  • awsroot+logarchive@example.com
  • awsroot+bobs_sandbox@example.com

This feature is not widely known, but it is supported by default on most popular email systems like Microsoft 365 and Gmail. Check with your email provider, because the delimiter is not always +. With some providers, the subaddress needs to be set up in advance.

Separate the hardware key from the shared mailbox

Again, there are very few reasons you should use the root user after the initial account setup. If the same person has access to the shared account and the hardware key, that person would be able to perform untraceable administrative actions on the account. So, do this instead:

  • Assign the shared mailbox to your IT Administrator team. They can read anyone’s email anyway.
  • Give the hardware token to your IT Security team. They will usually have a physical vault for this kind of thing.

Now, no one can use your root user without the IT Administrator and IT Security teams working in collaboration.

Use a shared phone number

We’ve covered how the “I forgot my password” process uses the root user mailbox, but what happens when you’ve lost your MFA device? In that case, an automated system will call the voice phone number associated with the account and speak a six-digit code. This code allows you to bypass hardware token.

This reveals another important detail: having access to the voice phone number is as powerful as having the hardware token.

The phone number serves an analogous role to the email mailbox. Where the mailbox can be used to bypass knowledge of the password, the phone number can be used to bypass possession of the hardware token. For this reason, it should also be a shared phone number. The number should be routed to the same group that holds the hardware token: the IT Security team.

Use a single shared mailbox and single hardware token

Because the shared mailbox will always be assigned to the IT Administrator team, and the hardware token will always be held by the IT Security team, there is no real benefit to using multiple shared mailboxes, or multiple hardware tokens for different AWS accounts.

Summary

There is a lot to consider when setting up your AWS root user account, but the guidance is easy to follow:

  1. Don’t plan to use your root user after the initial account setup.
  2. Use one shared mailbox for all your AWS root user emails.
  3. Use email subaddressing (“plus” addressing) to create multiple, unique email addresses for that single shared mailbox.
  4. Assign access to the shared mailbox to your IT Administrator team.
  5. Use one hardware token for all your AWS root users.
  6. Assign possession of the hardware token to your IT Security team.
  7. Set a shared phone number in your AWS account contact information, and route those calls to your IT Security team.

For more details on how to use a hardware token with the AWS root user, please see this article: Using MFA for your AWS root user.

AWS
Aws Root Account
Cloud Security
MFA

--

--

Adam Mendlik
Paragon Tech

Written by Adam Mendlik

8 Followers
Editor for

CTO and Principal Cloud Architect at Paragon Solutions Group.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams