Skip to content

The root account

The AWS Root account is an absolute god user for your AWS account. This account must be kept secure, and only used in absolute emergencies. For an account that is so sensitive and secure, I was quite surprised that it is integrated into almost everything that Amazon does.

Let's go Shopping

Like me, you're probably a regular shopper on amazon.com. Using my trusty password manager, I tried to log onto my Amazon shopping account, only to find that it didn't work. I did some troubleshooting, couldn't quite figure it out, and did the good ol' password reset. All was fine until I tried to access my AWS console. (Mind you, this was before I deployed SSO, and I used the root account for pretty much everything). Again, I ran into a problem - I couldn't log onto my AWS root account.

It then dawned on me - the AWS console and the Amazon shopping site use the same credentials. (and here I thought having a unique password on each site was a good security practice...)

But wait.. there's more!

Let's get certified

I currently hold 3 AWS certifications. I also discovered that when you log onto the AWS Training site, again it uses the same credential database since it is linked to my primary email address.

Watching some videos on Prime?

You've guessed it! Amazon Prime also uses the same user database. So when my kids want to hook up our Smart TV to Amazon Prime with the same credentials that can rack up thousands of dollars of hosting fees on AWS, I had to draw the line...

Developing Alexa skills?

I've dabbled with Alexa skills previously. When working in the developer console, you again log on with the root credentials.

So what's the issue?

AWS themselves are proclaiming on the AWS Root account page the following statement:-

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and user group.

Yet, they don't seem to follow their advice, linking the core credential database that manages the AWS console access to everything, from Alexa, Prime, Shopping, and everything else on their eco-system that breathes.

Let's just be realistic -- it is probably not as big an issue as I'd like it to be, and I'll explain why. When you work in a large enterprise, it is highly unlikely that the root account used to control access to your AWS master account will be used to purchase dog food from Amazon.com. The issue is more prevalent among home users and professionals who do training and development on AWS, where the usernames and passwords are linked to other services within the Amazon eco-system.

What's the risk?

If your username and password are shared by someone other than yourself (your spouse, teenager, or any other individual) for, for example, watching Amazon Prime on their own devices, a leak of those credentials could allow someone to create an AWS account in your name (if you don't already have one), or allow someone to log onto your account, and spin up large servers for all sorts of purposes, leaving you to foot the bill, which can run in the thousands of dollars.

What can be done about it?

Create a 2nd account

I know it's a pain, but a 2nd account (on a completely different email address) does solve the problem. The 2nd account can be the general account, used for shopping and Prime, whereas the primary account is used for the AWS part of things.

Note that you cannot create an AWS account without a valid credit card (fortunately Amazon is not using the same credit card payment system across their eco-system).

Setup MFA

Activate MFA on the root user. By having multi-factor authentication enabled, in the event, your credentials are compromised, it will make things a bit more difficult to get in.

WARNING - if an attacker has access to your email, they will be able to bypass the MFA requirement by triggering the Troubleshoot MFA option when they try to log onto the account.

Setup a CloudTrail alert

If changing your ways isn't an option, I can also suggest you set up an alert in CloudTrail, so you're notified the second someone tries to log on with your root credentials.

Escalate it to AWS support

I have raised the issue to AWS Support, and I suggest you do the same. As a solution, I am proposing that the AWS Root account database be decoupled from the AWS eco-system and kept completely separate and isolated. It should not come near the same database being used by millions of Shoppers and Prime video users.