# AWS account root user


When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account *root user*. The email address and password that you used to create your AWS account are the credentials you use to sign in as your root user.
+ Use the root user only to perform the tasks that require root-level permissions. For the complete list of tasks that require you to sign in as the root user, see [Tasks that require root user credentials](#root-user-tasks). 
+ Follow the [root user best practices for your AWS account](root-user-best-practices.md).
+ If you're having trouble signing in, see [Sign in to the AWS Management Console](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html).

**Important**  
We strongly recommend that you don't use the root user for your everyday tasks and that you follow the [root user best practices for your AWS account](root-user-best-practices.md). Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see [Tasks that require root user credentials](#root-user-tasks). 

While MFA is enforced for root users by default, it requires customer action to add MFA during the initial account creation or as prompted during sign-in. For more information about using MFA to protect the root user, see [Multi-factor authentication for AWS account root user](enable-mfa-for-root.md).

## Centrally manage root access for member accounts


To help you manage credentials at scale, you can centrally secure access to root user credentials for member accounts in AWS Organizations. When you enable AWS Organizations, you combine all your AWS accounts into an organization for central management. Centralizing root access lets you remove root user credentials and perform the following privileged tasks on member accounts.

**Remove member account root user credentials**  
After you [centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html), you can choose to delete root user credentials from member accounts in your Organizations. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA). New accounts you create in Organizations have no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user unless account recovery is enabled.

**Perform privileged tasks that require root user credentials**  
Some tasks can only be performed when you sign in as the root user of an account. Some of these [Tasks that require root user credentials](#root-user-tasks) can be performed by the management account or delegated administrator for IAM. To learn more about taking privileged actions on member accounts, see [Perform a privileged task](id_root-user-privileged-task.md).

**Enable account recovery of the root user**  
If you need to recover root user credentials for a member account, the Organizations management account or delegated administrator can perform the **Allow password recovery** privileged task. The person with access to the root user email inbox for the member account can [reset the root user password](https://docs.aws.amazon.com/IAM/latest/UserGuide/reset-root-password.html) to recover root user credentials. We recommend deleting root user credentials once you complete the task that requires access to the root user.

# Centralize root access for member accounts
Centralize root access

Root user credentials are the initial credentials assigned to each AWS account that has complete access to all AWS services and resources in the account. When you enable AWS Organizations, you combine all your AWS accounts into an organization for central management. Each member account has its own root user with default permissions to perform any action in the member account. We recommend you centrally secure the root user credentials of AWS accounts managed using AWS Organizations to prevent root user credential recovery and access at scale.

After you centralize root access, you can choose to delete root user credentials from member accounts in your organization. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA). New accounts you create in AWS Organizations have no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user.

**Note**  
While some [Tasks that require root user credentials](id_root-user.md#root-user-tasks) can be performed by the management account or delegated administrator for IAM, some tasks can only be performed when you sign in as the root user of an account.  
If you need to recover root user credentials for a member account to perform one of these tasks, follow the steps in [Perform a privileged task](id_root-user-privileged-task.md) and select **Allow password recovery**. The person with access to the root user email inbox for the member account can then follow the steps to [ reset the root user password](https://docs.aws.amazon.com/IAM/latest/UserGuide/reset-root-password.html) and sign in to the member account root user.  
 We recommend deleting root user credentials once you complete the task that requires access to the root user.

## Prerequisites


Before you centralize root access, you must have an account configured with the following settings:
+ You must have the following IAM permissions:
  + `iam:GetAccessKeyLastUsed`
  + `iam:GetAccountSummary`
  + `iam:GetLoginProfile`
  + `iam:GetUser`
  + `iam:ListAccessKeys`
  + `iam:ListMFADevices`
  + `iam:ListSigningCertificates`
  + `sts:AssumeRoot`
**Note**  
To audit the root user credential status of a member account, you can use the [IAMAuditRootUserCredentials](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMAuditRootUserCredentials) AWS managed policy to scope down permissions when you perform a privileged task on an AWS Organizations member account, or use any policy with access to `iam:GetAccountSummary`.  
To generate the root user credential information report, other policies only need the `iam:GetAccountSummary` action to produce the same output. You can also list or get individual root user credential information, including:  
Whether a root user password is present
Whether a root user access key is present and when it was last used
Whether the root user has associated signing certificates
Root user associated MFA devices
List of the consolidated root user credential status
+ You must manage your AWS accounts in [AWS Organizations](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_introduction.html).
+ You must have the following permissions to enable this feature in your organization:
  + `iam:EnableOrganizationsRootCredentialsManagement`
  + `iam:EnableOrganizationsRootSessions`
  + `iam:ListOrganizationsFeatures`
  + `organizations:EnableAwsServiceAccess`
  + `organizations:ListAccountsForParent`
  + `organizations:RegisterDelegatedAdministrator` 
+ To ensure optimal console functionality, we recommend enabling the following additional permissions:
  + `organizations:DescribeAccount`
  + `organizations:DescribeOrganization`
  + `organizations:ListAWSServiceAccessForOrganization`
  + `organizations:ListDelegatedAdministrators`
  + `organizations:ListOrganizationalUnitsForParent`
  + `organizations:ListParents`
  + `organizations:ListTagsForResource`

## Enabling centralized root access (console)


**To enable this feature for member accounts in the AWS Management Console**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the console, choose **Root access management**, and then select **Enable**.
**Note**  
If you see **Root access management is disabled**, enable trusted access for AWS Identity and Access Management in AWS Organizations. For details, see [AWS IAM and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-iam.html) in the *AWS Organizations User Guide*.

1. In the Capabilities to enable section, choose which features to enable.
   + Select **Root credentials management** to allow the management account and the delegated administrator for IAM to delete root user credentials for member accounts. You must enable Privileged root actions in member accounts to allow member accounts to recover their root user credentials after they have been deleted.
   + Select **Privileged root actions in member accounts** to allow the management account and the delegated administrator for IAM to perform certain tasks that require root user credentials.

1. (Optional) Enter the account ID of the **Delegated administrator** that is authorized to manage root user access and take privileged actions on member accounts. We recommend an account that is intended for security or management purposes.

1. Choose **Enable**.

## Enabling centralized root access (AWS CLI)


**To enable centralized root access from the AWS Command Line Interface (AWS CLI)**

1. If you haven't already enabled trusted access for AWS Identity and Access Management in AWS Organizations, use the following command: [aws organizations enable-aws-service-access](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/enable-aws-service-access.html).

1. Use the following command to allow the management account and the delegated administrator to delete root user credentials for member accounts: [aws iam enable-organizations-root-credentials-management](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/enable-organizations-root-credentials-management.html).

1. Use the following command to allow the management account and the delegated administrator to perform certain tasks that require root user credentials: [aws iam enable-organizations-root-sessions](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/enable-organizations-root-sessions.html).

1. (Optional) Use the following command to register a delegated administrator: [aws organizations register-delegated-administrator](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/register-delegated-administrator.html).

   The following example assigns account 111111111111 as the delegated administrator for the IAM service.

   ```
   aws organizations register-delegated-administrator 
   --service-principal iam.amazonaws.com
   --account-id 111111111111
   ```

## Enabling centralized root access (AWS API)


**To enable centralized root access from the AWS API**

1. If you haven't already enabled trusted access for AWS Identity and Access Management in AWS Organizations, use the following command: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html).

1. Use the following command to allow the management account and the delegated administrator to delete root user credentials for member accounts: [EnableOrganizationsRootCredentialsManagement](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableOrganizationsRootCredentialsManagement.html).

1. Use the following command to allow the management account and the delegated administrator to perform certain tasks that require root user credentials: [EnableOrganizationsRootSessions](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableOrganizationsRootSessions.html).

1. (Optional) Use the following command to register a delegated administrator: [RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html).

## Next steps


Once you've centrally secured privileged credentials for the member accounts in your organization, see [Perform a privileged task](id_root-user-privileged-task.md) to take privileged actions on a member account.

# Perform a privileged task on an AWS Organizations member account
Perform a privileged task

The AWS Organizations management account or a delegated administrator account for IAM can perform some privileged tasks on member accounts that would otherwise require root user credentials. With centralized root access, these tasks are performed through short-term privileged sessions. These sessions provide temporary credentials scoped to specific privileged actions, without requiring root user sign-in on the member account.

Once you launch a privileged session, you can delete a misconfigured Amazon S3 bucket policy, delete a misconfigured Amazon SQS queue policy, delete the root user credentials for a member account, and reenable root user credentials for a member account.

**Note**  
To use centralized root access, you must sign in via a management account or a delegated administrator account as an IAM user or role with the `sts:AssumeRoot` permission explicitly granted. You cannot use root user credentials to call `sts:AssumeRoot`.

## Prerequisites


Before you can launch a privileged session, you must have the following settings:
+ You have enabled centralized root access in your organization. For steps to enable this feature, see [Centralize root access for member accounts](id_root-enable-root-access.md).
+ Your management account or delegated administrator account has the following permissions: `sts:AssumeRoot`

## Taking a privileged action on a member account (console)


**To launch a session for privileged action in a member account in the AWS Management Console**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the console, choose **Root access management**.

1. Select a name from the member account list, and choose **Take privileged action**.

1. Choose the privileged action you want to take in the member account.
   + Select **Delete Amazon S3 bucket policy** to remove a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.

     1. Choose **Browse S3** to select a name from the buckets owned by the member account, and select **Choose**.

     1. Choose **Delete bucket policy**.

     1. Use the Amazon S3 console to correct the bucket policy after deleting the misconfigured policy. For more information, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon S3 User Guide*.
   + Select **Delete Amazon SQS policy** to delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.

     1. Enter the queue name in **SQS queue name**, and select **Delete SQS policy**.

     1. Use the Amazon SQS console to correct the queue policy after deleting the misconfigured policy. For more information, see [Configuring an access policy in Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-add-permissions.html) in the *Amazon SQS Developer Guide*.
   + Select **Delete root credentials** to remove root access from a member account. Deleting root user credentials removes the root user password, access keys, signing certificates, and deactivates multi-factor authentication (MFA) for the member account.

     1. Choose **Delete root credentials**.
   + Select **Allow password recovery** to recover root user credentials for a member account.

     This option is only available when the member account has no root user credentials.

     1. Choose **Allow password recovery**.

     1. After taking this privileged action, the person with access to the root user email inbox for the member account can [ reset the root user password](https://docs.aws.amazon.com/IAM/latest/UserGuide/reset-root-password.html) and sign in to the member account root user.

## Taking a privileged action on a member account (AWS CLI)


**To launch a session for privileged action in a member account from the AWS Command Line Interface**

1. Use the following command to assume a root user session: [aws sts assume-root](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-root.html).
**Note**  
The global endpoint is not supported for `sts:AssumeRoot`. You must send this request to a Regional AWS STS endpoint. For more information, see [Manage AWS STS in an AWS Region](id_credentials_temp_enable-regions.md).

   When you launch a privileged root user session for a member account, you must define `task-policy-arn` to scope the session to the privileged action to be performed during the session. You can use one of following AWS managed policies to scope privileged session actions.
   + [IAMAuditRootUserCredentials](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMAuditRootUserCredentials)
   + [IAMCreateRootUserPassword](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMCreateRootUserPassword)
   + [IAMDeleteRootUserCredentials](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMDeleteRootUserCredentials)
   + [S3UnlockBucketPolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-S3UnlockBucketPolicy)
   + [SQSUnlockQueuePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-SQSUnlockQueuePolicy)

   To limit the actions a management account or delegated administrator can perform during a privileged root user session, you can use the AWS STS condition key [sts:TaskPolicyArn](reference_policies_iam-condition-keys.md#ck_taskpolicyarn).

    In the following example, the delegated administrator assumes root to delete the root user credentials for the member account ID *111122223333*. 

   ```
   aws sts assume-root \
     --target-principal 111122223333 \
     --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials \
     --duration-seconds 900
   ```

1. Use the `SessionToken`, `AccessKeyId`, and `SecretAccessKey` from the response to perform privileged actions in the member account. You can omit the user name and password in the request to default to the member account.
   + **Check the status of root user credentials**. Use the following commands to check the status of root user credentials for a member account.
     + [get-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user.html)
     + [get-login-profile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-login-profile.html)
     + [list-access-keys](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html)
     + [list-signing-certificates](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-signing-certificates.html)
     + [list-mfa-devices](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-mfa-devices.html)
     + [get-access-key-last-used](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-access-key-last-used.html)
   + **Delete root user credentials**. Use the following commands to delete root access. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA) to remove all access to and recovery of the root user.
     + [delete-login-profile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-login-profile.html)
     + [delete-access-key](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-access-key.html)
     + [delete-signing-certificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-signing-certificate.html)
     + [deactivate-mfa-device](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html)
   + **Delete Amazon S3 bucket policy**. Use the following commands to read, edit, and delete a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.
     + [list-buckets](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html)
     + [get-bucket-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html)
     + [put-bucket-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html)
     + [delete-bucket-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html)
   + **Delete Amazon SQS policy**. Use the following commands to view and delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.
     + [list-queues](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/list-queues.html)
     + [get-queue-url](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-url.html)
     + [get-queue-attributes](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html)
     + [set-queue-attributes](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html)
   + **Allow password recovery**. Use the following commands to view the user name and recover root user credentials for a member account.
     + [get-login-profile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-login-profile.html)
     + [create-login-profile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-login-profile.html)

## Taking a privileged action on a member account (AWS API)


**To launch a session for privileged action in a member account from the AWS API**

1. Use the following command to assume a root user session: [AssumeRoot](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html).
**Note**  
The global endpoint is not supported for AssumeRoot. You must send this request to a Regional AWS STS endpoint. For more information, see [Manage AWS STS in an AWS Region](id_credentials_temp_enable-regions.md).

   When you launch a privileged root user session for a member account, you must define `TaskPolicyArn` to scope the session to the privileged action to be performed during the session. You can use one of following AWS managed policies to scope privileged session actions.
   + [IAMAuditRootUserCredentials](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMAuditRootUserCredentials)
   + [IAMCreateRootUserPassword](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMCreateRootUserPassword)
   + [IAMDeleteRootUserCredentials](security-iam-awsmanpol.md#security-iam-awsmanpol-IAMDeleteRootUserCredentials)
   + [S3UnlockBucketPolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-S3UnlockBucketPolicy)
   + [SQSUnlockQueuePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-SQSUnlockQueuePolicy)

   To limit the actions a management account or delegated administrator can perform during a privileged root user session, you can use the AWS STS condition key [sts:TaskPolicyArn](reference_policies_iam-condition-keys.md#ck_taskpolicyarn).

   In the following example, the delegated administrator assumes root to read, edit and delete a misconfigured resource-based policy for an Amazon S3 bucket for the member account ID *111122223333*.

   ```
   https://sts.us-east-2.amazonaws.com/
     ?Version=2011-06-15
     &Action=AssumeRoot
     &TargetPrincipal=111122223333
     &PolicyArns.arn=arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy 
     &DurationSeconds 900
   ```

1. Use the `SessionToken`, `AccessKeyId`, and `SecretAccessKey` from the response to perform privileged actions in the member account. You can omit the user name and password in the request to default to the member account.
   + **Check the status of root user credentials**. Use the following commands to check the status of root user credentials for a member account.
     + [GetUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html)
     + [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
     + [ListAccessKeys](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html)
     + [ListSigningCertificates](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSigningCertificates.html)
     + [ListMFADevices](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListMFADevices.html)
     + [GetAccessKeyLastUsed](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccessKeyLastUsed.html)
   + **Delete root user credentials**. Use the following commands to delete root access. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA) to remove all access to and recovery of the root user.
     + [DeleteLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteLoginProfile.html)
     + [DeleteAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html)
     + [DeleteSigningCertificate](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSigningCertificate.html)
     + [DeactivateMfaDevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html)
   + **Delete Amazon S3 bucket policy**. Use the following commands to read, edit, and delete a misconfigured bucket policy that denies all principals from accessing the Amazon S3 bucket.
     + [ListBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html)
     + [GetBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html)
     + [PutBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html)
     + [DeleteBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html)
   + **Delete Amazon SQS policy**. Use the following commands to view and delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.
     + [ListQueues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListQueues.html)
     + [GetQueueUrl](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueUrl.html)
     + [GetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueAttributes.html)
     + [SetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html)
   + **Allow password recovery**. Use the following commands to view the user name and recover root user credentials for a member account.
     + [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
     + [CreateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html)

# Multi-factor authentication for AWS account root user
MFA for the root user

**Important**  
AWS recommends that you use a passkey or security key for MFA to AWS, wherever possible as they are more resistant to attacks such as phishing. For more information, see [Passkeys and security keys](#passkeys-security-keys-for-root).

Multi-factor authentication (MFA) is a simple and effective mechanism to enhance your security. The first factor — your password — is a secret that you memorize, also known as a knowledge factor. Other factors can be possession factors (something you have, such as a security key) or inherence factors (something you are, such as a biometric scan). For increased security, we strongly recommend that you configure multi-factor authentication (MFA) to help protect your AWS resources.

**Note**  
All AWS account types (standalone, management, and member accounts) require MFA to be configured for their root user. Users must register MFA within 35 days of their first sign-in attempt to access the AWS Management Console if MFA is not already enabled.

You can enable MFA for the AWS account root user and IAM users. When you enable MFA for the root user, it only affects the root user credentials. For more information about how to enable MFA for your IAM users, see [AWS Multi-factor authentication in IAM](id_credentials_mfa.md).

**Note**  
AWS accounts managed using AWS Organizations may have the option to [centrally manage root access](id_root-user.md#id_root-user-access-management) for member accounts to prevent credential recovery and access at scale. If this option is enabled, you can delete root user credentials from member accounts, including passwords and MFA, effectively preventing sign-in as the root user, password recovery, or setting up MFA. Alternatively, if you prefer to maintain password-based sign-in methods, secure your account by registering MFA to enhance account protection.

Before you enable MFA for your root user, review and [update your account settings and contact information](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) to make sure that you have access to the email and phone number. If your MFA device is lost, stolen, or not working, you can still sign in as the root user by verifying your identity using that email and phone number. To learn about signing in using alternative factors of authentication, see [Recover an MFA protected identity in IAM](id_credentials_mfa_lost-or-broken.md). To disable this feature, contact [AWS Support](https://console.aws.amazon.com/support/home#/). 

AWS supports the following MFA types for your root user:
+ [Passkeys and security keys](#passkeys-security-keys-for-root)
+ [Virtual authenticator applications](#virtual-auth-apps-for-root)
+ [Hardware TOTP tokens](#hardware-totp-token-for-root)

## Passkeys and security keys


AWS Identity and Access Management supports passkeys and security keys for MFA. Based on FIDO standards, passkeys use public key cryptography to provide strong, phishing-resistant authentication that is more secure than passwords. AWS supports two types of passkeys: device-bound passkeys (security keys) and synced passkeys.
+ **Security keys**: These are physical devices, like a YubiKey, used as a second factor for authentication. A single security key can support multiple root user accounts and IAM users. 
+ **Synced passkeys**: These use credential managers from providers such as Google, Apple, Microsoft accounts, and third-party services like 1Password, Dashlane, and Bitwarden as a second factor.

You can use built-in biometric authenticators, like Touch ID on Apple MacBooks, to unlock your credential manager and sign in to AWS. Passkeys are created with your chosen provider using your fingerprint, face, or device PIN. You can also use a cross-device authentication (CDA) passkey from one device, like a mobile device or hardware security key, to sign in on another device like a laptop. For more information, see [cross-device authentication](https://passkeys.dev/docs/reference/terms/#cross-device-authentication-cda) (CDA).

You can sync passkeys across your devices to facilitate sign-ins with AWS, enhancing usability and recoverability. For more information about enabling passkeys and security keys, see [Enable a passkey or security key for the root user (console)](enable-fido-mfa-for-root.md).

The FIDO Alliance maintains a list of all [FIDO Certified products](https://fidoalliance.org/certification/fido-certified-products/) that are compatible with FIDO specifications.

## Virtual authenticator applications


A virtual authenticator application runs on a phone or other device and emulates a physical device. Virtual authenticator apps implement the [time-based one-time password (TOTP) algorithm](https://datatracker.ietf.org/doc/html/rfc6238) and support multiple tokens on a single device. The user must type a valid code from the device when prompted during sign-in. Each token assigned to a user must be unique. A user can't type a code from another user's token to authenticate.

We do recommend that you use a virtual MFA device while waiting for hardware purchase approval or while you wait for your hardware to arrive. For a list of a few supported apps that you can use as virtual MFA devices, see [Multi-Factor Authentication (MFA)](https://aws.amazon.com/iam/features/mfa/?audit=2019q1). For instructions on setting up a virtual MFA device with AWS, see [Enable a virtual MFA device for the root user (console)](enable-virt-mfa-for-root.md).

## Hardware TOTP tokens


A hardware device generates a six-digit numeric code based on the [time-based one-time password (TOTP) algorithm](https://datatracker.ietf.org/doc/html/rfc6238). The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user's device to be authenticated. For information on supported hardware MFA devices, see [Multi-Factor Authentication (MFA)](https://aws.amazon.com/iam/features/mfa/?audit=2019q1). For instructions on setting up a hardware TOTP token with AWS, see [Enable a hardware TOTP token for the root user (console)](enable-hw-mfa-for-root.md).

If you want to use a physical MFA device, we recommend that you use FIDO security keys as an alternative to hardware TOTP devices. FIDO security keys offer the benefits of no battery requirements, phishing resistance, and they support multiple root and IAM users on a single device for enhanced security.

**Topics**
+ [

## Passkeys and security keys
](#passkeys-security-keys-for-root)
+ [

## Virtual authenticator applications
](#virtual-auth-apps-for-root)
+ [

## Hardware TOTP tokens
](#hardware-totp-token-for-root)
+ [

# Enable a passkey or security key for the root user (console)
](enable-fido-mfa-for-root.md)
+ [

# Enable a virtual MFA device for the root user (console)
](enable-virt-mfa-for-root.md)
+ [

# Enable a hardware TOTP token for the root user (console)
](enable-hw-mfa-for-root.md)

# Enable a passkey or security key for the root user (console)
Enable a passkey or security key

You can configure and enable a passkey for your root user from the AWS Management Console only, not from the AWS CLI or AWS API. <a name="enable_fido_root"></a>

**To enable a passkey or security key for your root user (console)**

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. On the right side of the navigation bar, choose your account name, and then choose **Security credentials**.  
![\[Security credentials in the navigation menu\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/security-credentials-root.shared.console.png)

1. On your root user **My security credentials** page, under **Multi-factor authentication (MFA)**, choose **Assign MFA device**.

1. On the **MFA device name** page, enter a **Device name**, choose **Passkey or Security Key**, and then choose **Next**.

1. On **Set up device**, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computer's USB port and tapping it.

1. Follow the instructions on your browser to choose a passkey provider or where you want to store your passkey to use across your devices. 

1. Choose **Continue**.

You have now registered your passkey for use with AWS. The next time you use your root user credentials to sign in, you must authenticate with your passkey to complete the sign-in process.

For help troubleshooting issues with your FIDO security key, see [Troubleshoot Passkeys and FIDO Security Keys](troubleshoot_mfa-fido.md).

# Enable a virtual MFA device for the root user (console)
Enable a virtual MFA device

You can use the AWS Management Console to configure and enable a virtual MFA device for your root user. To enable MFA devices for the AWS account, you must be signed in to AWS using your root user credentials. 

**To configure and enable a virtual MFA device for use with your root user (console)**

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. On the right side of the navigation bar, choose your account name, and choose **Security credentials**.  
![\[Security credentials in the navigation menu\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/security-credentials-root.shared.console.png)

1. In the **Multi-Factor Authentication (MFA)** section, choose **Assign MFA device**.

1. In the wizard, type a **Device name**, choose **Authenticator app**, and then choose **Next**.

   IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.

1. Open the virtual MFA app on the device. 

   If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.

1. The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually. The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.
   + To use the QR code to configure the virtual MFA device, from the wizard, choose **Show QR code**. Then follow the app instructions for scanning the code. For example, you might need to choose the camera icon or choose a command like **Scan account barcode**, and then use the device's camera to scan the QR code.
   + In the **Set up device** wizard, choose **Show secret key**, and then type the secret key into your MFA app.
**Important**  
Make a secure backup of the QR code or secret configuration key, or make sure that you enable multiple MFA devices for your account. You can register up to **eight** MFA devices of any combination of the [ currently supported MFA types](https://aws.amazon.com/iam/features/mfa/) with your AWS account root user and IAM users. A virtual MFA device might become unavailable, for example, if you lose the smartphone where the virtual MFA device is hosted. If that happens and you are not able to sign in to your account with no additional MFA devices attached to the user or even by [Recovering a root user MFA device](id_credentials_mfa_lost-or-broken.md#root-mfa-lost-or-broken), you will not be able to sign in to your account and you will have to [contact customer service](https://support.aws.amazon.com/#/contacts/aws-mfa-support) to remove MFA protection for the account. 

   The device starts generating six-digit numbers.

1. In the wizard, in the **MFA code 1** box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the **MFA code 2** box. Choose **Add MFA**. 
**Important**  
Submit your request immediately after generating the code. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can [resync the device](id_credentials_mfa_sync.md).

The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see [MFA enabled sign-in](console_sign-in-mfa.md).

# Enable a hardware TOTP token for the root user (console)
Enable a hardware TOTP token

You can configure and enable a physical MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.

**Note**  
You might see different text, such as **Sign in using MFA** and **Troubleshoot your authentication device**. However, the same features are provided. In either case, if you cannot verify your account email address and phone number using alternative factors of authentication, contact [AWS Support](https://aws.amazon.com/forms/aws-mfa-support) to delete your MFA setting.<a name="enable_physical_root"></a>

**To enable a hardware TOTP token for your root user (console)**

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. On the right side of the navigation bar, choose your account name, and then choose **Security credentials**.  
![\[Security credentials in the navigation menu\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/security-credentials-root.shared.console.png)

1. Expand the **Multi-factor authentication (MFA)** section.

1. Choose **Assign MFA device**.

1. In the wizard, type a **Device name**, choose **Hardware TOTP token**, and then choose **Next**.

1. In the **Serial number** box, type the serial number that is found on the back of the MFA device.

1. In the **MFA code 1** box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.  
![\[IAM Dashboard, MFA Device\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/MFADevice.png)

1. Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the **MFA code 2** box. You might need to press the button on the front of the device again to display the second number.

1. Choose **Add MFA**. The MFA device is now associated with the AWS account.
**Important**  
Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can [resync the device](id_credentials_mfa_sync.md).

   The next time you use your root user credentials to sign in, you must type a code from the MFA device.

# Change the password for the AWS account root user
Change the password

You can change the email address and password from either the [Security Credentials](https://console.aws.amazon.com/iam/home?#security_credential) or the **Account** page. You can also choose **Forgot password?** on the AWS sign-in page to reset your password.

To change the root user's password, you must sign in as the AWS account root user and not as an IAM user. To learn how to reset a *forgotten* root user password, see [Reset a lost or forgotten root user password](reset-root-password.md). 

To protect your password, it's important to follow these best practices:
+ Change your password periodically. 
+ Keep your password private because anyone who knows your password can access your account.
+ Use a different password on AWS than you use on other sites. 
+ Avoid passwords that are easy to guess. These include passwords such as `secret`, `password`, `amazon`, or `123456`. Also avoid things like dictionary words, your name, email address, or other personal information that someone can easily obtain.

**Important**  
AWS accounts managed using AWS Organizations may have [centralized root access](id_root-user.md#id_root-user-access-management) enabled for member accounts. These member accounts do not have root user credentials, can't sign in as a root user, and are prevented from recovering the root user password. Contact your administrator if you need to perform a task that requires root user credentials.

------
#### [ AWS Management Console ]

**To change the password for the root user**
**Minimum permissions**  
To perform the following steps, you must have at least the following IAM permissions:  
You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. In the upper right corner of the console, choose your account name or number, and then select **Security Credentials**.

1. On the **Account** page, next to **Account settings**, choose **Edit**. You are prompted to re-authenticate for security purposes.
**Note**  
If you don't see the **Edit** option, it is likely that you are not signed in as the root user for your account. You can't modify account settings while signed in as an IAM user or role.

1. On the **Update account settings** page, under **Password**, choose **Edit**.

1. On the **Update your password** page, fill out the fields for **Current password**, **New password**, and **Confirm new password**.
**Important**  
Make sure to choose a strong password. Although you can set an account password policy for IAM users, that policy doesn't apply to the root user.

   AWS requires that your password meet the following conditions:
   + It must have a minimum of 8 characters and a maximum of 128 characters.
   + It must include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and \$1 @ \$1 \$1 % ^ & \$1 () <> [] \$1\$1 \$1 \$1\$1-= symbols.
   + It must not be identical to your AWS account name or email address.

1. Choose **Save changes**.

------
#### [ AWS CLI or AWS SDK ]

This task isn't supported in the AWS CLI or by an API operation from one of the AWS SDKs. You can perform this task only by using the AWS Management Console.

------

# Reset a lost or forgotten root user password


When you first created your AWS account, you provided an email address and password. These are your AWS account root user credentials. If you forget your root user password, you can reset the password from the AWS Management Console.

AWS accounts managed using AWS Organizations may have [centralized root access](id_root-user.md#id_root-user-access-management) enabled for member accounts. These member accounts do not have root user credentials, can't sign in as a root user, and are prevented from recovering the root user password. Contact your administrator if you need to perform a task that requires root user credentials.

**Important**  
**Having trouble signing in to AWS?** Make sure that you're on the correct [AWS sign-in page](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html) for your type of user. If you are the AWS account root user (account owner), you can sign in to AWS using the credentials that you set up when you created the AWS account. If you are an IAM user, your account administrator can give you the credentials that you can use to sign in to AWS. If you need to request support, do not use the feedback link on this page, as the form is received by the AWS Documentation team, not Support. Instead, on the [Contact Us](https://aws.amazon.com/contact-us/) page choose **Still unable to log into your AWS account** and then choose one of the available support options.

**To reset your root user password**

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Note**  
 If you are signed in to the [AWS Management Console](https://console.aws.amazon.com/) with *IAM user* credentials, then you must sign out before you can reset the root user password. If you see the account-specific IAM user sign-in page, choose **Sign-in using root account credentials** near the bottom of the page. If necessary, provide your account email address and choose **Next** to access the **Root user sign in** page.

1. Choose **Forgot your password?**.
**Note**  
If you are an IAM user, this option is not available. The **Forgot your password?** option is only available for the root user account. IAM users must ask their administrator to reset a forgotten password. For more information, see [I forgot my IAM user password for my AWS account](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html#troubleshoot-forgot-iam-password). If you sign in through the AWS access portal, see [ Resetting your IAM Identity Center user password](https://docs.aws.amazon.com/singlesignon/latest/userguide/resetpassword-accessportal.html).

1. Provide the email address that is associated with the account. Then provide the CAPTCHA text and choose **Continue**.

1. Check the email that is associated with your AWS account for a message from Amazon Web Services. The email will come from an address ending in `@verify.signin.aws`. Follow the directions in the email. If you don't see the email in your account, check your spam folder. If you no longer have access to the email, see [I don't have access to the email for my AWS account](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-troubleshooting.html#credentials-not-working-console) in the *AWS Sign-In User Guide*.

# Create access keys for the root user


**Warning**  
We strongly recommend that you do **not** create access key pairs for your root user. Because [only a few tasks require the root user](id_root-user.md#root-user-tasks) and you typically perform those tasks infrequently, we recommend signing in to the AWS Management Console to perform the root user tasks. Before creating access keys, review the [alternatives to long-term access keys](security-creds-programmatic-access.md#security-creds-alternatives-to-long-term-access-keys).

Although we don't recommend it, you can create access keys for your root user so that you can run commands in the AWS Command Line Interface (AWS CLI) or use API operations from one of the AWS SDKs using root user credentials. When you create access keys, you create the access key ID and secret access key as a set. During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one. You can create root user access keys with the console, AWS CLI, or AWS API.

A newly created access key has the status of *active*, which means that you can use the access key for CLI and API calls. You can assign up to two access keys to the root user.

Access keys that are not in use should be inactivated. Once an access key is inactive, you can't use it for API calls. Inactive keys still count toward your limit. You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

------
#### [ AWS Management Console ]

**To create an access key for the AWS account root user**
**Minimum permissions**  
To perform the following steps, you must have at least the following IAM permissions:  
You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. In the upper right corner of the console, choose your account name or number and then choose **Security Credentials**. 

1. In the **Access keys** section, choose **Create access key**. If this option is not available, then you already have the maximum number of access keys. You must delete one of the existing access keys before you can create a new key. For more information, see [IAM Object Quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entities). 

1. On the **Alternatives to root user access keys** page, review the security recommendations. To continue, select the checkbox, and then choose **Create access key**. 

1. On the **Retrieve access key** page, your **Access key** ID is displayed. 

1. Under **Secret access key**, choose **Show** and then copy the access key ID and secret key from your browser window and paste it somewhere secure. Alternatively, you can choose **Download .csv file** which will download a file named `rootkey.csv` that contains the access key ID and the secret key. Save the file somewhere safe.

1. Choose **Done**. When you no longer need the access key [we recommend that you delete it](id_root-user_manage_delete-key.md), or at least consider deactivating it so that no one can misuse it.

------
#### [ AWS CLI & SDKs ]

**To create an access key for the root user**
**Note**  
To run the following command or API operation as the root user, you must already have one active access key pair. If you don't have any access keys, create the first access key using the AWS Management Console. Then, you can use the credentials from that first access key with the AWS CLI to create the second access key, or to delete an access key.
+ AWS CLI: [aws iam create-access-key](https://docs.aws.amazon.com/cli/latest/reference/iam/create-access-key.html)  
**Example**  

  ```
  $ aws iam create-access-key
  {
      "AccessKey": {
          "UserName": "MyUserName",
          "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
          "Status": "Active",
          "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
          "CreateDate": "2021-04-08T19:30:16+00:00"
      }
  }
  ```
+ AWS API: [CreateAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) in the *IAM API Reference*. 

------

# Delete access keys for the root user


You can use the AWS Management Console, the AWS CLI or the AWS API to delete the root user access keys.

------
#### [ AWS Management Console ]

**To delete an access key for the root user**
**Minimum permissions**  
To perform the following steps, you must have at least the following IAM permissions:  
You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

1. Open the [AWS Management Console](https://console.aws.amazon.com/) and sign in using your root user credentials.

   For instructions, see [Sign in to the AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. In the upper right corner of the console, choose your account name or number and then choose **Security Credentials**. 

1. In the **Access keys** section, select the access key that you want to delete, and then, under **Actions**, choose **Delete**.
**Note**  
Alternatively, you can **Deactivate** an access key, instead of permanently deleting it. This way you can resume using it in the future without having to change either the key ID or secret key. While the key is inactive, any attempts to use it in requests to the AWS API fail with the error access denied.

1. On the **Delete <access key ID>** dialog box, choose **Deactivate**, enter the access key ID to confirm you want to delete it, and then choose **Delete**. 

------
#### [ AWS CLI & SDKs ]

**To delete an access key for the root user**
**Minimum permissions**  
To perform the following steps, you must have at least the following IAM permissions:  
You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.
+ AWS CLI: [aws iam delete-access-key](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html)  
**Example**  

  ```
  $ aws iam delete-access-key \
      --access-key-id AKIAIOSFODNN7EXAMPLE
  ```

  This command produces no output when successful.
+ AWS API: [DeleteAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html) 

------

## Tasks that require root user credentials


We recommend that you [configure an administrative user in AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) to perform daily tasks and access AWS resources. However, you can perform the tasks listed below only when you sign in as the root user of an account.

To simplify managing privileged root user credentials across member accounts in AWS Organizations, you can enable centralized root access to help you centrally secure highly privileged access to your AWS accounts. [Centrally manage root access for member accounts](#id_root-user-access-management) lets you centrally remove and prevent long-term root user credential recovery, improving account security in your organization. After you enable this feature, you can perform the following privileged tasks on member accounts.
+ Remove member account root user credentials to prevent account recovery of the root user. You can also allow password recovery to recover root user credentials for a member account.
+ Remove a misconfigured bucket policy that denies all principals from accessing an Amazon S3 bucket.
+ Delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.

**Account Management Tasks**
+ [Change your AWS account settings.](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) Standalone AWS accounts that are not part of AWS Organizations require root credentials to update the email address, root user password, and root user access keys. Other account settings, such as account name, contact information, alternate contacts, payment currency preference, and AWS Regions, don't require root user credentials.
**Note**  
AWS Organizations, with all features enabled, can be used to manage member account settings centrally from the management account and delegated admin accounts. Authorized IAM users or IAM roles in both the management account and delegated admin accounts can close member accounts and update the root email addresses, account names, contact information, alternate contacts, and AWS Regions of member accounts. 
+ [Close your AWS account.](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) Standalone AWS accounts that are not part of AWS Organizations require root credentials to close the account. With AWS Organizations, you can close the member accounts centrally from the management account and delegated admin accounts.
+ [Restore IAM user permissions.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html) If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.

**Billing Tasks**
+ [Activate IAM access to the Billing and Cost Management console](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate).
+ Some Billing tasks are limited to the root user. See [Managing an AWS account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html) in AWS Billing User Guide for more information.
+ View certain tax invoices. An IAM user with the [aws-portal:ViewBilling](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) permission can view and download VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited (AISPL).

**AWS GovCloud (US) Tasks**
+ [Sign up for AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html).
+ Request AWS GovCloud (US) account root user access keys from AWS Support.

**Amazon EC2 Task**
+ [Register as a seller](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html) in the Reserved Instance Marketplace.

**AWS KMS Task**
+ In the event that an AWS Key Management Service key becomes unmanageable, an administrator can recover it by contacting Support; however, Support responds to your root user's primary phone number for authorization by confirming the ticket OTP.

**Amazon Mechanical Turk Task**
+  [Link Your AWS account to your MTurk Requester account](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMechanicalTurkGettingStartedGuide/SetUp.html#accountlinking).

**Amazon Simple Storage Service Tasks**
+ [Configure an Amazon S3 bucket to enable MFA (multi-factor authentication)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html).
+ [Edit or delete an Amazon S3 bucket policy that denies all principals](https://aws.amazon.com/premiumsupport/knowledge-center/change-vpc-endpoint-s3-bucket-policy/).

  You can use privileged actions to unlock an Amazon S3 bucket with a misconfigured bucket policy. For details, see [Perform a privileged task on an AWS Organizations member account](id_root-user-privileged-task.md).

**Amazon Simple Queue Service Task**
+ [Edit or delete an Amazon SQS resource-based policy that denies all principals](https://aws.amazon.com/premiumsupport/knowledge-center/sqs-queue-access-issues-deny-policy).

  You can use privileged actions to unlock an Amazon SQS queue with a misconfigured resource-based policy. For details, see [Perform a privileged task on an AWS Organizations member account](id_root-user-privileged-task.md).

## Additional resources


For more information about the AWS root user, see the following resources:
+ For help with root user issues, see [Troubleshoot issues with the root user](troubleshooting_root-user.md).
+ To centrally manage root user email addresses in AWS Organizations, see [Updating the root user email address for a member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_update_primary_email.html) in the *AWS Organizations User Guide*.

The following articles provide additional information about working with the root user.
+ [What are some best practices for securing my AWS account and its resources?](https://repost.aws/knowledge-center/security-best-practices)
+ [How can I create an EventBridge event rule to notify me that my root user was used?](https://repost.aws/knowledge-center/root-user-account-eventbridge-rule) 
+ [Monitor and notify on AWS account root user activity](https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/) 
+ [Monitor IAM root user activity](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-iam-root-user-activity.html)