reduce the risk of losing control of your AWS account by not knowing the root account password
As Amazon states, one of the best practices for using AWS is
Don’t use your AWS root account credentials to access AWS […] Create an IAM user for yourself […], give that IAM user administrative privileges, and use that IAM user for all your work.
The root account credentials are the email address and password that you used when you first registered for AWS. These credentials have the ultimate authority to create and delete IAM users, change billing, close the account, and perform all other actions on your AWS account.
You can create a separate IAM user with near-full permissions for use when you need to perform admin tasks, instead of using the AWS root account. If the credentials for the admin IAM user are compromised, you can use the AWS root account to disable those credentials to prevent further harm, and create new credentials for ongoing use.
However, if the credentials for your AWS root account are compromised, the person who stole them can take over complete control of your account, change the associated email address, and lock you out.
I have consulted companies who lost control over the root AWS account which contained their assets. You want to avoid this.
The AWS root account is not required for regular use as long as you have created an IAM user with admin privileges
Amazon recommends not using your AWS root account
You can’t accidentally expose your AWS root account password if you don’t know it and haven’t saved it anywhere
You can always reset your AWS root account password as long as you have access to the email address associated with the account
Consider this approach to improving security:
Create an IAM user with full admin privileges. Use this when you need to do administrative tasks. Activate IAM user access to account billing information for the IAM user to have access to read and modify billing, payment, and account information.
Change the AWS root account password to a long, randomly generated string. Do not save the password. Do not try to remember the password. On Ubuntu, you can use a command like the following to generate a random password for copy/paste into the change password form:
pwgen -s 24 1
If you need access to the AWS root account at some point in the future, use the “Forgot Password” function on the signin form.
It should be clear from this that protecting access to your email account is critical to your overall AWS security, as that is all that is needed to change your password, but that has been true for many online services for many years.
You currently need to use the AWS root account in the following situations:
to change the email address and password associated with the AWS root account
to deactivate IAM user access to account billing information
to cancel AWS services (e.g., support)
to close an AWS account
to set up consolidated billing(Supported by AWS Organizations) to let AWS Support know if they solved your support request or not(Resolved by AWS)
Amazon has created a page that lists AWS Tasks That Require AWS Account Root User including many of the above items and perhaps a few others
anything else? Let folks know in the comments.
For completeness, I should also reiterate Amazon’s constant and strong recommendation to use MFA (multi-factor authentication) on your root AWS account. Consider buying the hardware MFA device, associating it with your root account, then storing it in a lock box with your other important things.
You should also add MFA to your IAM accounts that have AWS console access. For this, I like to use Google Authenticator software running on a locked down mobile phone.
MFA adds a second layer of protection beyond just knowing the password or having access to your email account.
[Update 2015-11-05: Need root account to transfer domain registration to another AWS account.]
[Update 2015-12-23: Added notes about consolidated billing, penetration testing, thanks to comment from Ranato L.]
[Update 2017-10-17: Updated notes about consolidated billing, AWS Support, both resolved by AWS]
[Update 2017-12-11: Added link to Amazon’s list of tasks that require root account access]