DE | EN
← Back to Overview

AWS SCP and Account Root User: Security through Restriction

December 28, 2025Cloud Security

The AWS Account Root User possesses unlimited power over an account. Yet, in modern organizations, it is only needed for a few exceptions. Service Control Policies (SCPs) are the key to minimizing this risk.

A fundamental principle of IT security is the "Principle of Least Privilege". The Root User in an AWS account contradicts this principle diametrically, as it is allowed to do everything by default and its permissions cannot be restricted by IAM policies. Therefore, AWS strongly recommends not using the Root User for daily tasks.

When is the Root User needed at all?

In a well-managed AWS organization, there are very few scenarios where access with the Root User is unavoidable. These include:

  • Restoring S3 permissions: If a bucket policy has been configured in a way that accidentally locks out all access (including administrators), only the Root User can delete or change this policy.
  • Changing the AWS support plan: Certain changes to contracts or support levels require root privileges.
  • Closing an account: Permanently deleting a member account.

For almost all other administrative tasks, IAM users or, better yet, IAM roles with AdministratorAccess should be used.

Restricting Root User with SCPs

Since we cannot completely disable the Root User (it is inextricably linked to the account), we must ensure that it is not misused. This is where Service Control Policies (SCPs) come into play.

SCPs are part of AWS Organizations and allow permissions to be controlled centrally at the account level. An SCP can prohibit actions, even if the user in the account (including Root!) would actually have permission to do so. The "Deny" in an SCP always wins.

Practical Example: Root Access Deny

An effective strategy is to apply an SCP to the entire organization or specific OUs (Organizational Units) that prohibits all actions for the Root User.

This effectively "neutralizes" the Root User. Should one of the aforementioned emergencies occur (e.g., S3 Bucket Lockout), an administrator of the AWS Organization can temporarily detach the SCP from the affected account, perform the repair, and reattach the policy.

Example Code

You can find concrete Terraform code for such an SCP in my GitHub repository. This example shows how to block root access by default:

GitHub: AWS SCP Examples / Root User

Conclusion

Securing the Root User is a critical step in building a secure AWS Landing Zone. By using SCPs, organizations can ensure that this powerful access is not used for everyday tasks and potential attack vectors are minimized.

Check the security of your cloud environment?

We analyze your AWS organization and implement security standards according to best practices.

Request Security Check