Share AWS Access Safely (No Root, Roles Only)

Rule #1: never use or share the root user

The root account has full control and should be locked down with MFA and used only for rare account-level tasks. Day-to-day access should be via IAM users/roles or IAM Identity Center (AWS SSO).

Fast, safe access pattern

1. Create per-person access (IAM user or Identity Center assignment) with the least privilege policy.
2. Require MFA for every human account. If someone needs a memorable master passphrase, send this: How to Create Strong Passphrases You’ll Actually Remember.
3. Prefer roles + temporary creds over long-lived access keys.
4. Deliver any one-off secrets via a one-time, expiring link and send the access code by a different channel. How-to: The Safe Way to Share Passwords in 2025 (No Email).

Onboarding checklist (copy/paste)

• [ ] Add user via IAM or assign via Identity Center
• [ ] Attach only the needed policy (reader first; escalate later)
• [ ] Enforce MFA before granting console access
• [ ] Enable CloudTrail and log access

Offboarding & rotation

• Disable user/assignment, then revoke sessions and keys.
• Rotate any credentials they touched. Quick plan: Employee Offboarding and The Simple Incident Playbook for Leaked Passwords.

Developer hygiene

• No secrets in repos (.env, keys). Delivery basics: Share API Keys and .env Files with Developers (Safely).
• Verify links in invites and emails. Habit guide: Verify Links Like a Pro.

Useful external references

• AWS IAM: Security best practices 🔗
• AWS: Tasks that require the root user 🔗
• AWS IAM Identity Center (SSO) 🔗

Bottom line

Invite people to roles—not to the root account. Enforce MFA, prefer short-lived credentials, and rotate on handoffs.

Secure One-Time Messages - Send confidential messages that self-destruct after being read once. Your privacy is our priority. →.