Why on earth does Storage Lens require an IAM user instead of root?


I use IAM users for all kinds of things I want to lock down when accessed from outside scripts all across my AWS account, so I like and use IAM. But when I'm logged into the AWS dashboard as root, I should be able to access everything I haven't explicity locked down with some insane double secret permissions. It's the root account. Forcing me to create an IAM user just to access some random AWS metrics service is just completely annoying, and doesn't gain anything (if I'm already logged in as root, I can just go make the IAM account myself if I'm a badguy)? For small companies, it's just a total waste of time, there's no way I'm going to make a new IAM user and then log out and then log back in just to mess around with some new AWS thing I was curious about. Please fix this, it's silly.

Thanks, Chris

profile picture
asked a year ago1158 views
1 Answer

It is recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and user group.


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
  2. https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html
  3. https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Having said that, You can’t use your account's root user credentials to view Amazon S3 Storage Lens dashboards. To access S3 Storage Lens dashboards, you must grant the requisite IAM permissions to a new or existing IAM user. Then, sign in with those user credentials to access S3 Storage Lens dashboards. For more information, see Amazon S3 Storage Lens permissions.

Reference - https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_console_viewing.html

profile pictureAWS
answered a year ago
profile pictureAWS
reviewed a year ago
  • Yes, I know this is recommended, but no other AWS service that I use requires this. Should I take it that you guys are going to transition all AWS services to refusing root access and requiring IAM users? Or all new services are going to have this restriction? And if not, then please fix this one too so it doesn't require it. I can make my own decisions about my level of risk tolerance and security best practices, not all are appropriate for all users. If you guys are going to transition everything over to refusing root and requiring different IAM users, good luck with that.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions