Skip to main content
Latest Documentation
This is the latest documentation for the Cloud Posse Reference Architecture. To determine which version you're currently using, please see Version Identification.
Version: Latest
Sponsor @cloudposse

Create Account Root Users

This tutorial explains how to create and configure root user credentials for individual AWS accounts. With centralized root access enabled, this is typically not required for member accounts.

Do You Need Per-Account Root Credentials?

With centralized root access enabled, member accounts do not require individual root credentials. The management account can perform privileged root operations on any member account using the RootAccess permission set.

You only need per-account root credentials if:

  1. You have not enabled centralized root access
  2. You need to perform recovery operations that cannot be done through centralized root access
  3. Compliance requirements mandate individual root credentials for each account
Recommended Approach

For most organizations, we recommend using centralized root access instead of managing individual root credentials for each account. This reduces operational overhead and improves security.

Creating Root User Credentials

If you need to create root user credentials for an account, follow these steps for each account:

1 Reset the Root User Password

  1. Attempt to log in to the AWS console as a "root user" using the account's email address

  2. Click the "Forgot password?" link

  3. You will receive a password reset link via email (forwarded to your shared Slack channel if configured)

  4. Click the link and enter a new password

    Tip:

    Use 1Password to create a password 26-38 characters long, including at least 3 of each class of character: lower case, uppercase, digit, and symbol

  5. Save the email address and generated password as web login credentials in 1Password

  6. Record the account number in a separate field of the 1Password item (optional but recommended)

2 Configure MFA

  1. Log in to the AWS console using the new password
  2. Choose "My Security Credentials" from the account dropdown menu
  3. Set up Multi-Factor Authentication (MFA) to use a Virtual MFA device
  4. Save the MFA TOTP key in 1Password using 1Password's "One-Time Password" field
  5. Enter the generated MFA codes in AWS to verify the MFA device
  6. Save the Virtual MFA ARN in the same 1Password entry

References