Concepts
- Changing Account Settings
- Changing account details such as the account name, email address, and root user password.
- Updating the root user’s multi-factor authentication (MFA) settings.
- Closing the AWS account.
- Handling Billing and Payment
- Modifying payment methods, such as credit cards details.
- Accessing tax invoices, past billing information, or the Cost Management Dashboard, depending on your account’s billing preferences.
- Managing the Tax Registration Numbers and settings.
- Security Credentials Management
- Using the root user’s security credentials for signing AWS API requests.
- AWS Support Plan Management
- Upgrading or downgrading the AWS Support Plan.
- Service Control Policies (SCPs)
- Disable AWS Organizations for the entire account if it’s a management account of an organization.
- Account Recovery
- Requesting the recovery of an AWS account.
- IAM Role to Billing Access
- Delegating access to the billing console to an IAM user.
Best Practices and Precautions
While the root user holds significant power within the AWS ecosystem, it’s considered a best practice to minimize its use. For most other tasks, you should create IAM users with least privilege permissions. This helps in securing the account against unauthorized access or potential misuse.
Practical Examples
Scenario 1: Billing Management
Suppose a company’s finance department needs access to the AWS billing information. As a best practice, the root user would set up an IAM user with the appropriate permissions to access billing details, rather than logging in as a root user.
Scenario 2: Account Recovery
In an instance where account credentials are lost or compromised, only the root user can initiate and complete the recovery process of the account by providing proof of account ownership.
Scenario 3: Changing Account Settings
After a merger, the company needs to update the email address associated with the AWS account. This action can only be completed by logging into the AWS management console as the account root user.
Comparison Table: Root User vs. IAM Users
Action | Root User | IAM User |
---|---|---|
Change Account Name | ✔️ | ❌ |
Update Root User Password | ✔️ | ❌ |
Modify Payment Methods | ✔️ | ❌* |
Access Complete Billing Information | ✔️ | ❌* |
Upgrade AWS Support Plan | ✔️ | ❌ |
Disable AWS Organizations | ✔️ | ❌ |
Recover Account | ✔️ | ❌ |
Delegate Billing Access to IAM User | ✔️ | ❌ |
Sign AWS API Requests with Root User Credentials | ✔️ | ❌ |
Create and Manage IAM Users/Groups/Roles | ✔️ | ✔️ |
Access AWS Services (EC2, S3, etc.) | ✔️ | ✔️ |
Set Up Multi-Factor Authentication for IAM Users | ❌ | ✔️ |
*IAM users can access billing information only if granted the necessary permissions.
IAM users can manage other IAM users or access AWS services only if they have been granted the relevant permissions.
Conclusion
Understanding which tasks require the root user is essential for maintaining AWS security and adhering to best practices. As an aspiring AWS Certified Cloud Practitioner, recognizing these tasks will help you better manage AWS accounts and prepare you for scenarios that you may encounter on the CLF-C02 exam. Remember to create IAM users with just the necessary permissions for day-to-day management and to use the root user only for the specific tasks where it’s required. This knowledge ensures that you are well-prepared for both the exam and practical AWS account management.
Answer the Questions in Comment Section
True or False: The account root user is the only one that can change account settings such as the AWS Support plan.
- True
Explanation: The AWS account root user is the only identity with complete access to all resources in the account, and it’s the only identity that can change certain account settings, including the AWS Support plan.
True or False: IAM users can close the AWS account if they have the necessary permissions.
- False
Explanation: Only the AWS account root user can close the AWS account. IAM users, regardless of their permissions, are not able to perform this action.
Which of the following actions can only be performed by the AWS account root user? (Select two)
- A. Creating IAM users and groups
- B. Changing the root user’s password
- C. Restoring IAM user permissions
- D. Accessing billing information
- E. Editing the AWS Support plan
Answer: B, E
Explanation: Only the root user can change the root user’s password and edit the AWS Support plan. IAM users can be granted permissions to do most other things, except for a few restricted actions that are reserved for the root user.
True or False: IAM users can activate MFA delete on an S3 bucket if granted the necessary permissions.
- False
Explanation: Multi-Factor Authentication (MFA) delete on an S3 bucket is a security feature that can only be enabled by the AWS account root user.
Which action is exclusively reserved for the AWS account root user?
- A. Deploying an EC2 instance
- B. Configuring Virtual Private Cloud (VPC)
- C. Registering as a seller in the AWS Marketplace
- D. Creating an S3 bucket
Answer: C
Explanation: Registering as a seller in the AWS Marketplace requires the AWS account root user credentials. Actions such as deploying EC2 instances, configuring VPCs, and creating S3 buckets can be done by IAM users with the appropriate permissions.
True or False: Any user with administrative permissions can perform all the actions that the root user can, including those that manage the account.
- False
Explanation: While administrative IAM users have broad permissions, there are selected tasks reserved for the AWS account root user, such as managing account-level settings and changing the Support plan.
True or False: The account root user can delegate all of its tasks to an IAM user.
- False
Explanation: While the account root user can delegate many administrative tasks to IAM users by assigning the necessary permissions, some actions, such as changing the root user email address and enabling MFA delete on S3 buckets, cannot be delegated.
Which one of the following tasks can an IAM user conduct without root user privileges?
- A. Disabling an AWS account
- B. Restoring terminated EC2 instances
- C. Changing the account’s contact information
- D. Accessing CloudWatch data for monitoring
Answer: D
Explanation: Accessing CloudWatch for monitoring purposes can be delegated to an IAM user. Changing the account’s contact information and disabling an AWS account are examples of tasks that can only be done by the root user.
True or False: The account root user is required to assign a service-linked role to an AWS service for the first time.
- False
Explanation: IAM users with the necessary permissions can create service-linked roles. This does not require the account root user.
True or False: The account root user is the only identity that can restore an IAM user’s permissions after accidental revocation.
- True
Explanation: When an IAM user’s permissions are removed, it is possible to need the root user to restore those permissions, particularly in cases where the user accidentally lost their administrative privileges, thus losing the ability to grant permissions again.
True or False: Enabling detailed billing reports can be done by any IAM user with the required permissions.
- False
Explanation: Detailed billing reports can be enabled only by the AWS account root user. This is among the handful of billing-related actions reserved for the root user.
Who can establish or modify AWS Identity and Access Management (IAM) permission boundaries?
- A. Root user only
- B. Any IAM user with IAMFullAccess policy
- C. Both A and B
- D. None of the above
Answer: C
Explanation: IAM permission boundaries can be established or modified by the root user as well as by any IAM user that has been granted administrative permissions or the IAMFullAccess policy.
Great blog post! Could you share a few tasks that only the root user can perform?
Thanks for the detailed info!
Does anyone know if creating a CloudFront key pair requires root user access?
I appreciate the breakdown of the tasks only the root user can perform. Very handy for the CLF-C02 exam!
One task not typically mentioned is modifying certain IAM roles’ trust policy. Confirm?
Great post! This will be very useful for my Cloud Practitioner exam. Thanks a lot.
Can anyone confirm if the root user is needed to manage the root access keys?
Very informative blog.