Back to Basics - AWS Root User Prerequisites
Set up your AWS root user securely: prepare shared email, business phone, payment info, MFA, and contacts. Use root only for emergencies.
Joseph Giacobbe
Amazon Employee
Published Jun 10, 2025
Continue to Back to Basics - AWS Root User MFA
Creating a AWS Root user can be intimidating at first, so it's important you have everything ready BEFORE you get to creating anything. It's always important you refer to your internal procedures before following any public guides.
Preparing for AWS root user account creation helps ensure a smooth process. Without these prerequisites, people often enter placeholder information that is never revisited.
Check if your company has a procedure you need to follow before going through my guide.
One of the most important parts of creating an AWS account is the email address. Every AWS account requires an associated email address. This email is used for account recovery, support issues, and more.
- Create a shared mailbox that multiple administrators can access.
- This provides redundancy in case someone is on vacation, extended leave, or leaves the company.
- Ensure the email address supports subaddressing.
- This allows you to create multiple unique email addresses using the same group email, without managing separate aliases. Example: awsadmin+management@example.com
Obtaining a dedicated business-owned phone number can be one of the most challenging parts of AWS root user account setup. This phone number is crucial to ensure you can recover your account in worst case scenarios. The phone number should be attached to a device stored in a secure location, separate from your MFA devices.
For personal accounts or small businesses, it might be overkill doing all of this. If you use a personal phone number on an account, I recommend informing a partner on what your number is being used for. Document the process for your partner to follow if you are no longer able to support the AWS account. This way they can take those steps to ensure the business keeps running or close the account to prevent unwanted billing.
It's critical to document what this phone number is used for and what the process is to change it.
As part of the account creation process, you are required to have a valid credit card. Ensure you have this information before starting the account creation process.
The easiest way to get started is to use your company's password manager to store the MFA token. Just make sure the record is owned by multiple authorized admins. You should eventually create additional MFA devices for redundancy, but this is not required for the initial setup..
For those who don't have a company wide password manager, you can follow a similar procedure. Create the MFA token in a vault accessible by multiple people, such as a shared KeePass vault on SharePoint or a shared password manager vault. Using a personal password manager should be limited to personal accounts or small businesses with minimal IT staff.
Using a personal device for the MFA token can lead to unwanted headaches later on. The employee will eventually move on and there's no guarantee they will hand over this information to their replacement.
Most organizations have separate departments for billing, operations, and security. Your AWS account allows you to provide different contact details for each, ensuring AWS communicates with the appropriate personnel. Without this, the only point of contact will be the group email address associated with the root account.
- Full name
- Title
- Email address
- Phone number
AWS best practice is to enter an email address and phone number owned by the company. Ideally, use a distribution list email and a department-associated phone number.
- Billing
- CFO, Cloud Finance group, EVP of finance, etc
- Operations
- CTO, EVP of Infrastructure, SRE group, etc
- Security
- CISO, EVP of Security, SecOps team, etc
For more details on alternate contacts, check out the official documentation here
Once you have gathered all this information, you can begin creating your root account. After your Root account creation, I recommend looking into creating a Landing Zone. As a best practice, do not deploy resources using the root user. At a minimum, create an admin account to perform day-to-day tasks, and use the root account only for emergencies.
Continue to Back to Basics - AWS Root User MFA
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.