Usage of the root user







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




In recent years, the number of potential uses for the AWS root user have decreased significantly. As a result, it should not be used frequently. Enabling monitoring and alerts on root user usage in your environment is recommended.

Understanding Impact

Business Impact

The AWS root user has unlimited privileges and should not be used for daily operations.

Technical Impact

The AWS root user has unlimited privileges, including the ability to access and remove account data. Regular usage of the root user creates a substantial risk, as its credentials do not expire and can easily be leaked.

Identify affected resources

To check if the root user of an AWS account was recently used, generate an IAM credential report from the AWS CLI or AWS Console.

You can use the following fields, on rows where user is set to <root_user>:

  • password_enabled and password_last_used
  • access_key_1_active and access_key_1_last_used_date
  • access_key_2_active and access_key_2_last_used_date

Remediate vulnerable resources

Usage of the root user is only required for a very limited number of tasks and should not be used on a daily basis.

It is recommended to not generate any access keys for the root user, securely store its password in a password vault, and raise an alert when it's used.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | Root account credentials should be inactive for the previous 30 days".


AWS account root user

aws documentation

FTC Chegg Complaint

AWS root Account Takeover

Ubiquity breach

Behind the scenes in the Expel SOC: Alert-to-fix in AWS

Did you find this article helpful?

Related Vulnerabilities and Threats