Root User, Admin Access, MFA, and Logging
Lock down your AWS account on day one: protect root, enable MFA, set up everyday admin access, and turn on CloudTrail.
All services used in this lesson are covered by the AWS Free Tier.
AWS Services Used
The #1 rule: Protect root, then stop using it
The root user is the identity created when you first create an AWS account. It has full access and cannot be restricted by IAM permissions.
AWS guidance is clear: lock down the root user, then use it only for tasks that require root.
Root is powerful and risky because a mistake or compromise can affect everything, including billing and account settings.
Root user: what to do first
A) Enable MFA for the root user
MFA (multi-factor authentication) adds a second verification step, like an authenticator app, required during sign-in. Enable it for root immediately.
Warning
Without MFA, anyone who gets your root password has full control of your account, including billing. This is the single most important security step.
B) Ensure the root user has no access keys
Root best practices recommend not having root access keys. If they exist, deactivate and delete them. Access keys are long-term credentials, and root access keys are the highest-risk kind.
C) Use root only when required
A small number of tasks require root (like changing account-wide billing settings). Everything else should be done with a non-root identity.
Everyday access: do not work as root
AWS IAM best practices recommend using IAM roles and temporary credentials for humans and workloads when possible, and requiring MFA where appropriate.
For a learning account, a simple safe pattern is:
- Root: locked down with MFA, rarely used
- Everyday admin: an identity you use for normal work, protected by MFA, with permissions you can later reduce following the principle of least privilege
Tip
You do not need to get permissions perfect on day one. Start with what you need to learn, then gradually reduce permissions as you understand what each service requires.
Key IAM concepts (preview)
These terms will be covered in depth in the next lesson, but you should know them now:
IAM
AWS service for managing identities and permissions.
Role
An identity with temporary credentials, preferred over long-term keys.
Temporary credentials
Short-lived credentials that expire, reducing risk if leaked.
Least privilege
Give only the permissions required to do the task, and no more.
Logging: know what happened when something goes wrong
CloudTrail event history vs "create a trail"
CloudTrail records AWS API activity for auditing and security investigation.
Event history
- On by default — no setup required
- Covers the past 90 days
- Good for quick short-term lookback
Create a trail
- Archives logs to S3 for longer retention
- Enables deeper auditing and investigation
- Required for compliance and longer-term analysis
Day 1 Security Checklist
Day 1 Security Checklist
0 / 6 completedMicro-activity: "Root vs Everyday Admin" decision practice
Summary
- Lock down root with MFA and avoid using it for normal work
- Prefer roles and temporary credentials, and require MFA for identities that need console access
- CloudTrail event history exists, but a trail helps with longer-term retention and investigation
- Start with safe defaults, then gradually move toward least privilege