- Newest
- Most votes
- Most comments
If that resource allow resource based policy, then yes, root user can also be blocked to have access to those resources via explicit deny at resource level. In an org, root user in child accounts can also be blocked through SCP.
So, some of the places that you need to look at, are:
- SCP
- Resource based policy
- Permissions boundary
- Session policy
For example, one can deny access to root user to access a specific secrets manager via secret manager resource policy.
In theory, root user has access to everything but that can also be put in explicit deny via one of the above mentioned ways.
No, the root user in AWS has full administrative privileges and can see and access all resources within the account, including objects created by IAM (Identity and Access Management) users. By design, the root user has unrestricted access to the entire AWS environment and can review and manage all resources.
It's important to note that while the root user has broad access, it is generally recommended to follow the principle of least privilege and avoid using the root user for day-to-day tasks. Instead, it's recommended to create and use IAM users with specific permissions to perform regular tasks, and only rely on the root user for administrative actions that require unrestricted access.
Thanks Nikunj !
Relevant content
- asked a year ago
- asked 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thank you so much Abhishek. Appreciate your detailed response and its really helpful.