How to protect your AWS Root Account?

May 31, 2022

One of the first steps when creating an Amazon Web Services (AWS) account is to create an identity that has access and control of all AWS resources. This identity is known as the account owner or root user. It is not advisable to use the root account for daily tasks, so you need to create Identity and Access Management (IAM) users who have limited control over the account. 

As the root user has a high level of access to take any action on your environment, you need to make sure it is safe. 

Implementing strict security protocols in the root account is a must for oganizations. One of the most critical recommendation is not to use this account for every day tasks. However, a recent audit found that the use of the root account occurs in 143 accounts and 65 organizations.

Our Cybersecurity Studio helps clients build safer digital experiences. Understanding security risks and using AWS tools properly ensures your digital enviornment is secured, allowing your organization to focus on developing better services and experiences.

Abigail Kauf, certified AWS security specialist

In this blog, we will explore how to secure your root account.

Basic recommendations

Before diving into coding, we advise you to follow these simple recommendations to protect your root user:

  • Do not use a root user for daily tasks. Use your root user only to create an IAM user.
  • Do not create an access key for this account unless necessary; delete it if you have an access key.
  • If you need a key for this account, generate the periodic rotation. 
  • Never share the key or password with anyone. 
  • Use a strong password to protect the security of your account. 
  • Enable MFA (Multi-factor Authentication) for this account. 

How to enable monitoring for the root user with CloudTrail 

Securing the root account login attempts is crucial. We will explain how to use the AWS Cloud Trail to audit this security event in the following steps. 

You can audit the root user logging attempts in the CloudTrail; the following example shows a logging event:


    “eventVersion”: “1.05”,

    “userIdentity”: {

        “type”: “Root”,

        “principalId”: “AIDACKCEVSQ6C2EXAMPLE”,

        “arn”: “arn:aws:iam::111122223333:root”,

        “accountId”: “111122223333”,

        “accessKeyId”: “”


    “eventTime”: “2018-08-29T16:24:34Z”,

    “eventSource”: “”,

    “eventName”: “ConsoleLogin”,

    “awsRegion”: “us-east-1”,

    “sourceIPAddress”: “”,

    “userAgent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0”,

    “requestParameters”: null,

    “responseElements”: {

        “ConsoleLogin”: “Success”


    “additionalEventData”: {

        “LoginTo”: “”,

        “MobileVersion”: “No”,

        “MFAUsed”: “No”


    “eventID”: “deb1e1f9-c99b-4612-8e9f-21f93b5d79c0”,

    “eventType”: “AwsConsoleSignIn”,

    “recipientAccountId”: “111122223333”


  1. To enable the CloudTrail to view the logging activities, you need to create a new trail in the AWS CloudTrail console and select “create a new trail.” 

Then, you need to add the trail name, the store location, the name of the folder, and the logs files encryption. Also, you need to specify whether you want to create an AWS KMS key notification and if you need to send the logs to CloudWatch logs. 

  1. You need to select the types of events where you prefer to enable the logs. In this case, management events are enough. Click next.
Ta7dqlNiThUIk27jAMzw QFKa5ENm1SIHt GKtHQiNv5SdGvVwzCuTc3Dq RQEjzhmeCZU9A4MHMqNlotnY 973Eq5K iGS5iMEMSOzhbZVXqUUwNDkAIrnTqjKVGLm d9 iRB2r3eEDwNTtbg
  1. In step three, you review the information and select create. 
zhadbEauhkcIk556jBC mCJ1VZG62YccHLPF5DqrUYAq 970ee28e4s2PwuXpSb2 LBED1MZfGywLJSS6VM39K

Then, you will see the events in the S3 Bucket defined to store the CloudTrail information. 

dk98Cb8xVQ0li71mtUdkET9GH6jvdUg spGpd8OTCZWVZWIObO7W7tVhcfQzqAM88MgALRx0fivEFo7bvm3FKoL3cqnGjyGiXTzKSJGFTauDuv v5AJw7 5BE4QiLBjbjHdHRCk9acpYKnbBdg

Security is king

Make sure to give special attention to the security of the root user in AWS. It is best to implement the security recommendation for the Cloud Service Provider. We advise reviewing the security login event of this user account periodically to protect your data and digital ecosystem.

If you want to know more about how we help organizations create safer experiences and adapt to the new digital paradigm, visit our Cybersecurity Studio.

Subscribe to our newsletter

Receive the latests news, curated posts and highlights from us. We’ll never spam, we promise.

More From

The Cybersecurity Studio focuses on reducing our clients’ cybersecurity risks. To help businesses adapt, we established a Digital Cybersecurity Framework founded by our key practices. Our value proposition considers an active participation in the software development process and a proactive view on cybersecurity solutions that include regular vulnerability tests and threat intelligence.