Company logoHelp Center
Visit braidfi.com

Understanding AWS Root Accounts

3 min. readlast update: 03.26.2025

To maintain the security and integrity of your AWS infrastructure, it is critical to understand the importance of the AWS root account, who controls it, and why it must be protected. This article explains the role of the root account, why we at Braid do not have access to it, and what steps your institution should take to safeguard this vital credential.

What Is the AWS Root Account?

The root account is the original identity used to create your AWS environment. It has full administrative privileges across all AWS services and cannot be restricted by policies, roles, or permissions. This account is the ultimate authority in your AWS setup.

Key facts:

  • Created at the time of account setup.
  • Tied to a specific email address.
  • Has unrestricted access to all services, billing, and security settings.
  • Required for certain sensitive operations (e.g., closing the account, managing billing and more).

Why Braid Does Not Have Access to Your Root Account

As a best practice — and a core part of our security model — we do not have access to your root account credentials. Instead, we are granted access through secure IAM roles that limit our permissions to what’s needed to operate your infrastructure.

This ensures:

  • Your institution retains full control and ownership of the AWS environment.
  • Sensitive actions like billing and account changes remain in your hands.
  • We follow AWS’s security best practices by avoiding root account usage.

Why This Matters

Only your institution can manage the root account. Losing access to the root email or password means losing control over billing, account recovery, and certain critical operations. Even AWS support cannot assist unless you can verify ownership via the registered email.

If your team cannot remember which email was used to create the account, you must:

  1. Identify which institutional email was likely used during account setup.
  2. Use AWS's password reset flow once the correct email is confirmed.

We strongly recommend:

  • Documenting the root email and storing it in a secure location.
  • Ensuring at least two trusted people at your institution can access the root inbox.

Takeaway

Your AWS root account is your master key. It must be protected, documented, and accessible only to trusted individuals at your institution. At Braid, we design our systems to never rely on root access, ensuring that ownership and control stay fully with your bank. If you're unsure who has access, now is the time to verify and secure it.

If you need help reviewing your AWS setup or securing access, our team is here to assist.

Was this article helpful?