Difference between Root User and IAM User in AWS You Need to Know

Difference between Root User and IAM User in AWS

Dear Reader, In today’s post, I will help you understand the difference between Root User and IAM User in AWS in details.

Let’s start with understanding each one of them. If you know them well, it will help you eventually understand the difference in a more clear way.

So, shall we start?

Okay !!!

If you have ever noticed, In your journey of using AWS cloud, you will come across two types of users.

  1. Root User(Account owner)
  2. IAM User

Let’s understand Root user and IAM user by an analogy

Imagine, you are the owner of a company “StartUpOnCloud” and you decided to create an application for your company using AWS. You create an AWS account with your email address, password and other details. So you are the account owner or root user. Your credential (email and password) is the root user credential.

Note: Root user has God like power and it can do everything with your AWS account 🙂 So, use it carefully.

Now, you have a group of developers who would be working with you in your AWS account. You wish to allow your developers to work in your AWS account. But, as a security best practice, you can not share your credential with anyone.

So, what to do?

Well, AWS allows you to create what’s called an IAM user. You can create an IAM user for each developer, assign them permission based on their need and handover the account to them. Being an IAM user they will only be able to perform tasks that you have permitted them to do using policies.

I assume you understand the fundamental behind root user and iam user. Let’s get to know them in more details by understanding their features.

Features of AWS Root User-

  • Root user is ideally the first AWS user that gets created by default when you create your AWS account.
  • You can login as a root user using the email address and password that you used to create your AWS account.
  • All the AWS account have a root user(mind it one and only one)
  • A root user has full access to all the resources in an AWS account
  • You can not use an IAM policy to restrict access of a root user.
  • The only way to restrict permission to root user is by having Service Control Policy attached to your account
  • You should not use your root user for your everyday task(even administrative ones). Ideally you should create your first Administrator IAM user and lock your root account right away

Features of AWS IAM User?

  • IAM user can be created by a root user or an IAM user who has permission to create one.
  • You can login as a IAM user using your username/password and your AWS AccountId/Alias
  • An IAM doesn’t have full access until unless explicitly assigned. So, user can only perform task for which permission has been assigned to it. For example if an IAM user has S3 full access, it can do everything with S3 but can not create an EC2 instance.
  • You can use an IAM policy to restrict access of an IAM user.
  • An IAM user can represent a person or an application that uses its credentials to make request to various AWS services
  • By default, an IAM user has no permission
  • You can assign permission to each IAM user individually or as a group depending on the need. Hence, you can limit the permission to only what’s needed for the job for that user(principal of least privilege)

An IAM User with administrator permissions vs Root User

By now, I am sure you know root user and IAM user well. There is another aspect in terms of them that I see people being confused. Hence, I would like to cover it in this post.

You might see in IAM policy that an IAM user with Administrative policy has below access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

It simply means all access to all the resources.

But is that true literally?

Well, answer to this question is almost Yes but to be precise No !!!!

Now, what do I mean by my last sentence?

Let me try to clarify that in next paragraph.

An IAM administrator user can pretty much do everything that a root user can do except few tasks that only root user is allowed to do. for example-

  • Closing your AWS account
  • Changing your AWS account settings
  • Changing your support plan
  • Activate IAM access to Billing
  • Enable MFA delete on an S3 bucket etc.

Note: Please check AWS page for complete list of task that only root user is allowed to do

Best Practices around AWS Root user and IAM User

  • Do not use your root user access key
  • Enable MFA for your root user as well as all the IAM users
  • Don’t share your root user/IAM user’s credential with anyone.
  • Create separate user for anyone who needs access your account
  • Grant least privilege to your IAM users
  • Have a strong password policy for your users in place

Conclusion

In this quick post we learnt the difference between Root User and IAM User in AWS.

Let’s summarize what we learnt-

  • We started with understanding Root user and IAM user with an analogy
  • Then we understood the feature of both of them
  • We learnt the difference between an IAM User with administrator permissions and Root User
  • Lastly, we saw few best practices around AWS root user and IAM user

I hope you enjoyed the tutorial. Do let me know in comment in case you face any issue.

Enjoyed the content?

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

I hope you enjoyed this tutorial. If you have a question, feel free to drop in comment. I will be more then happy to answer your query.

Meanwhile you can also –

Suggested Read:

Leave a Reply

Your email address will not be published. Required fields are marked *