My organization uses AWS GovCloud (US) to run workloads. Because of a security incident or compliance requirement, my organization now requires that all root user account access keys be deleted, deactivated, or rotated.
Short description
When you sign up for an AWS account, you are issued a single sign-in identity called the AWS account root user ("root user"). The root user can access all AWS services and resources in your AWS account. After you complete the AWS GovCloud (US) sign up process with your root user credentials, the AWS GovCloud (US) account root user is also created.
Important: It's a best practice to use the AWS account root user only when you create your first AWS Identity and Access Management (IAM) user. After you create that first IAM user, lock away the root user access keys and use them only to perform a few tasks. Use your IAM user account for your day-to-day tasks.
Resolution
Follow these steps to delete, deactivate, or rotate root access keys for your AWS GovCloud (US) account.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Configure root access keys in the AWS CLI
As your first step, configure the AWS CLI with your AWS GovCloud (US) account root user access keys. You can also use the AWS CLI for local use. For instructions, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell).
Verify that root access keys exist
To verify that your AWS GovCloud (US) account has a root access key, see Does my AWS GovCloud (US) account have existing root access keys?
Delete root access keys
To delete a root access key, follow the instructions for Deleting my AWS GovCloud (US) account root user access keys.
Deactivate root access keys
To deactivate a root access key, run the AWS CLI command update-access-key similar to the following:
aws iam update-access-key --access-key-id AKIAEXAMPLE123456789 --status Inactive
Rotate root access keys
To rotate root access keys, follow the instructions to Rotate my AWS GovCloud (US) account root user access keys.
Related information
How IAM Differs for AWS GovCloud (US)