AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I delete, deactivate, or rotate root access keys in AWS GovCloud (US) accounts?

3 minute read

My organization uses AWS GovCloud (US) to run workloads. I want to delete, deactivate, or rotate all root user account access keys.

Short description

When you sign up for an AWS account, AWS issues you a single sign-in identity called the AWS account root user. The root user can access all AWS services and resources in your account. After you complete the AWS GovCloud (US) sign up process with your root user credentials, AWS also creates the AWS GovCloud (US) account root user.

Note: AWS GovCloud (US) account root user console access isn't supported. You can't sign in to the AWS Management Console for AWS GovCloud (US) with your AWS account email address and password. However, programmatic access is supported through access keys for the root user, which you can use with the AWS CLI or AWS SDK.

Important: It's a best practice to use the AWS account root user only when you create your first AWS Identity and Access Management (IAM) user. After you create that first IAM user, lock away the root user access keys and use them only to perform a few tasks. Use your IAM user account for your day-to-day tasks.

Resolution

Follow these steps to delete, deactivate, or rotate root access keys for your AWS GovCloud (US) account.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Configure root access keys in the AWS CLI

As your first step, configure the AWS CLI with your AWS GovCloud (US) account root user access keys. You can also use the AWS CLI for local use. For instructions, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell).

Verify that root access keys exist

To verify that your AWS GovCloud (US) account has a root access key, see Does my AWS GovCloud (US) account have existing root access keys?

You can also run the ListAccessKeys AWS CLI command:

aws iam list-access-keys

Delete root access keys

To delete a root access key, see Deleting my AWS GovCloud (US) account root user access keys. You can also use the DeleteAccessKey API with the AWS SDKs.

Deactivate root access keys

To deactivate a root access key, run the AWS CLI command update-access-key similar to the following:

aws iam update-access-key --access-key-id AKIAEXAMPLE123456789 --status Inactive

Note: Replace AKIAEXAMPLE123456789 with your access-key-id value.

Rotate root access keys

To rotate root access keys, follow the instructions to Rotate my AWS GovCloud (US) account root user access keys.

Related information

How IAM differs for AWS GovCloud (US)

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

AWS OFFICIALUpdated a day ago

No comments

Relevant content

What's the role of account root user in GovCloud?
Accepted Answer
Sonic
asked a year ago
Deactivate or delete access keys for root user
rePost-User-3622937
asked 4 years ago
Locked out of S3 Bucket due to Bucket Policy in GovCloud
Accepted Answer
mbarajas
asked 4 years ago
How can I change GovCloud account name?
Accepted Answer
Sonic
asked a year ago
How do I successfully "Sign up for AWS GovCloud (US)"
rePost-User-9559858
asked 3 years ago
How do I create an AWS GovCloud (US) account?
AWS OFFICIALUpdated 6 months ago
How do I delete an AWS key for a root user?
AWS OFFICIALUpdated 10 months ago
How do I change the name of my AWS GovCloud (US) account?
AWS OFFICIALUpdated a month ago
How do I reset a lost or broken MFA device for my IAM user or AWS account root user?
AWS OFFICIALUpdated 3 months ago
Updated Process to Enabling Bedrock Models in GovCloud: Chat/Playground Feature or AWS CLI Approach
SUPPORT ENGINEER
Ray
published 3 months ago