reduce the risk of losing control of your AWS account by not knowing the root account password
As Amazon states, one of the best practices for using AWS is:
We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, use your root user credentials only to create your IAM admin user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.
The root account credentials are the email address and password that you used when you first registered for AWS. These credentials have the ultimate authority to create and delete IAM users, change billing, close the account, and perform all other actions on your AWS account.
You can create a separate IAM user with near-full permissions for use when you need to perform admin tasks, instead of using the AWS root account. If the credentials for the admin IAM user are compromised, you can use the AWS root account to disable those credentials to prevent further harm, and create new credentials for ongoing use.
However, if the credentials for your AWS root account are compromised, the person who stole them can take over complete control of your account, change the associated email address, and lock you out.
I have consulted for companies who lost control over the root AWS account which contained their assets. You want to avoid this.
Proposal
Given:
-
The AWS root account is not required for regular use as long as you have created an IAM user with admin privileges
-
Amazon recommends not using your AWS root account
-
You can’t accidentally expose your AWS root account password if you don’t know it and haven’t saved it anywhere
-
You can always reset your AWS root account password as long as you have access to the email address associated with the account
Consider this approach to improving security: