Avoid Use of the Root Account

Least Privilege for the Root Account
A critical aspect of security in AWS is to make sure you avoid use of the AWS root account whenever possible, implementing the best practice of least privilege. Because the root account has access to all AWS services and resources in your AWS account, active use of this user should be avoided. There are many layers of security that should surround the root account so that, unless emergency access is required, actions cannot be taken from this account.

Recommendation 1.1 of the CIS AWS Foundations Benchmark tell us that minimizing the use of the root account account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. For more information, visit the AWS documentation on AWS root accounts

One of the critical security principles that you want to implement is to ensure that you are using the AWS root account as little as possible. The CIS best practices tell us that the AWS root account is one of the privilege accounts in the AWS environment. As such, we want to implement the idea of least privilege. To do that, we want to make sure that we are only using the root account for as little as possible to execute identified actions. To do that, you can do two things. You can institute a logging metric, which will notify appropriate personnel when the AWS account is logged into. Also, you can generate an AWS credentials report. An AWS credentials report will notify you when the last time the AWS root account was logged into. You can go into your AWS Management Console and generate an AWS credentials report from the AWS IAM Dashboard.

Related Videos