Example SCP: Deny AWS account root user access

Service Control Policy example that denies access to AWS resources for the AWS account root user.

Service Control Policy example: Deny access to AWS resources for the AWS account root user

It's generally a best practice to not use the root user to do your tasks in your AWS account. Instead, you should create an IAM admin user and use that to do administrative tasks.

Since the root user has full access to all your resources and billing information you should further protect it with the following steps:

As an additional layer of protection, you can set up a guardrail in the form of a Service Control Policy to deny access to AWS resources from the root user.

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" } }, "Action": "*", "Resource": "*", "Effect": "Deny", "Sid": "DenyRootUser" } ] }

How to create the AWS Service Control Policy

Log in to the AWS console and then go to the Service control policies tab under the AWS Organizations service where you can create the new policy. Note: make sure to have AWS Organizations enabled.

Learn more about AWS Service Control Policies

If you are in a position where you have responsibility for the AWS Cloud infrastructure, then have a look at The complete guide to AWS Service Control Policies.

Share on Twitter

Subscribe to the newsletter

If you're interested in AWS Cloud, Infrastructure as Code, DevOps, and getting certified in AWS then subscribe to my newsletter to get exclusive tips and tricks on becoming a successful Cloud Engineer.

- subscribers