IAM Root User

Identity and Access Management (IAM) root User

Resource Type

AWS.IAM.RootUser

Resource ID Format

For IAM root users, the resource ID is the ARN.

arn:aws:iam::123456789012:root

Background

This resource represents a snapshot for an AWS root user account. This is largely similar to the AWS.IAM.User resource, but with a few added fields. Being a separate resource type also simplifies and optimizes writing policies which apply only to the root account, a common pattern.

Fields

Field

Type

Description

CredentialReport

Map

An AWS account credential report for this user. Implemented as a mapping of string keys to values.

VirtualMFADevice

Map

Contains the EnableDate and SerialNumber of the configured virtual MFA device, if one exists.

Example

{
    "AccountId": "123456789012",
    "Arn": "arn:aws:iam::123456789012:root",
    "CredentialReport": {
        "ARN": "arn:aws:iam::123456789012:root",
        "AccessKey1Active": false,
        "AccessKey1LastRotated": "0001-01-01T00:00:00Z",
        "AccessKey1LastUsedDate": "0001-01-01T00:00:00Z",
        "AccessKey1LastUsedRegion": "N/A",
        "AccessKey1LastUsedService": "N/A",
        "AccessKey2Active": false,
        "AccessKey2LastRotated": "0001-01-01T00:00:00Z",
        "AccessKey2LastUsedDate": "0001-01-01T00:00:00Z",
        "AccessKey2LastUsedRegion": "N/A",
        "AccessKey2LastUsedService": "N/A",
        "Cert1Active": false,
        "Cert1LastRotated": "0001-01-01T00:00:00Z",
        "Cert2Active": false,
        "Cert2LastRotated": "0001-01-01T00:00:00Z",
        "MfaActive": true,
        "PasswordEnabled": false,
        "PasswordLastChanged": "0001-01-01T00:00:00Z",
        "PasswordLastUsed": "2019-01-01T00:00:00Z",
        "PasswordNextRotation": "0001-01-01T00:00:00Z",
        "UserCreationTime": "2019-01-01T00:00:00Z",
        "UserName": "<root_account>"
    },
    "Id": "123456789012",
    "Name": "<root_account>",
    "Region": "global",
    "ResourceId": "arn:aws:iam::123456789012:root",
    "ResourceType": "AWS.IAM.RootUser",
    "Tags": null,
    "TimeCreated": "2019-01-01T00:00:00.000Z",
    "VirtualMFA": {
        "EnableDate": "2019-01-01T00:00:00Z",
        "SerialNumber": "arn:aws:iam::123456789012:mfa/root-virtual-mfa-device"
    }
}

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated