5 ways to protect root account in the Cloud

Oct 12, 2021 · 3 mins read · Post a comment

Security as one of the Five Pillars of the Well-Architected Framework has been underlooked, not just in the age of the cloud computing but before that as well. With cloud migration being a growing trend of the last couple of years, data breaches are becoming more frequent, including well-established giant platforms, not just small and medium businesses. Take for example, last week there has been a 125GB data leak, which later was revealed it was due to a server-side configuration.

Working in the cloud always starts with setting up a root account, which could become a treasure for hackers, only if left as it is, with the default settings, leaving any best practice recommendations for another day.
The following best practices could help us protect from any unauthorized access and potential data leaks.

Enable multi-factor authentication (MFA)

First and foremost, MFA is an underlooked practice. MFA comes in two flavors, virtual and hardware.

Most common virtual devices are apps installed on our mobile phones, like Google and Microsoft Authenticators, 2FAS Auth, Authy and a dozen others. At first, the whole MFA login experience becomes annoying by entering a 6-digit numeric code, but slowly and surely we need to get used to it on a daily basis.

Hardware devices and U2F security keys are both physical devices that needs to be purchased first, before entering a 6-digit code as well. Yubico is the most popular choice.

MFA could be implemented in two ways:

  • From the account settings
  • Using policies applied at an Organization or Management level, depending on the cloud provider.

Remove any access keys

Access keys are used to make programmatic calls to the cloud provider’s APIs. For example:

  • Executing commands from a CLI.
  • Planning and applying Terraform changes from a CI/CD pipeline.
  • An app or serverless function integration with a cloud service.

Remove any access keys from the root account, and never commit any access keys or secrets in Git repositories, since there are bots scanning public repos, ready to spin up some pricey instances for crypto mining to rack up your bill.

Enforce password and access policies

Use IaC tools and automation as an advantage when applying password and access policies. For instance:

  • Passwords policy and compliance.
  • Single Sign-On (SSOs).
  • Create access reviews.
  • Conditional access policies.

Eliminate use of the root account

Although the root account is required for certain tasks, never use the root account for daily activities. Instead, use the following practices:

  • Create and assign users, groups and roles for the technical teams.
  • Use Service Principal and Managed Identities when providing an identity for apps that require access to another cloud resources.
  • Always apply the principle of least privilege (PoLP).
  • Limit access to the root account.

Setup Audit

Last but not least, deploy audit policies. Whenever someone’s being using the root account, send SMS or email notification.


Go passwordless! We should focus on eliminating the need of a password authentication, since password policies are kinda not so practical in the real world, and sometimes employees could be clumsy, or they don’t have the proper, basic security knowledge and training. Hence, they are the most common targets of hackers. With that being said, Passwordless Authentication is the future.

Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.