Best Practices for the Root User

Secure the Root User's Credentials

To help prevent unauthorized use, do not share the root user's credentials, including the password, access keys, and MFA device and use them only when necessary.

Set a Strong Password for the Root User

We recommend that you set a strong password for the root user that meets the following example conditions:

• It must contain at least 8 characters.
• It must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters.
• It must be distinct from your account name or email address.

Secure Your Root User Login with MFA

Because the root user has the highest permissions for all resources in your account, it is crucial to add an MFA device for the root user as a secondary authentication factor.

• If your account is a Huawei Cloud account (not a HUAWEI ID), you can add an MFA device by following these steps to enable login protection automatically: On the IAM console, choose Users > Root User (the enterprise administrative user). On the displayed page, click the Security Settings tab, and then click Add MFA Device in the Multi-Factor Authentication (MFA) area. Huawei Cloud supports only virtual MFA and security keys based on the FIDO protocol and Windows Hello as the secondary authentication factor for the root user.
• If your Huawei Cloud account has been upgraded to a HUAWEI ID, you cannot bind an MFA device on the security settings page. Instead, go to the HUAWEI ID account center, choose Account & security, locate Two-step verification in the Security verification area, and click ENABLE. Then, enter the verification information to enable login protection. Only the mobile number, email address, and virtual MFA can be used as the secondary authentication method for the root user of a HUAWEI ID.

Use Multi-Person Approval for Root User Login

To strengthen security, we recommend you assign the root user's MFA device and password to different persons. This ensures that each login of the root user is approved by multiple persons.

Do Not Create Access Keys for the Root User

Your account has all the permissions required to access resources and make payments for the usage of resources. Both passwords and access keys (AKs/SKs) of the account root user are account credentials and they have the same effect. Passwords are mandatory and used for console login. Access keys are optional. They are supplementary to passwords and used for programmatic requests with development tools. To enhance account security, you are advised to only use the password to log in to the console. Do not create access keys for the root user to prevent risks from access key leakage.

Secure the Root Users of the Management Account and Member Accounts in an Organization

When you use Organizations to manage multiple accounts, you need to take the preceding measures to secure the root users of the management account and member accounts in the organization.

Restrict Root User Actions Using SCPs in Organizations

You can apply an SCP in Organizations to restrict access to the root user. For example, you can deny all root user actions in your member accounts on Elastic Cloud Server (ECS) instances. For details, see Example SCPs.

Automatically Evaluate the Compliance of Root User Settings

The Config service checks the compliance of the root user settings. You can use Config to check whether the root user has available access keys and whether the root user has MFA enabled.

If you have any security concerns regarding the root user, submit a service ticket on the official website or call the Huawei Cloud customer service at 4000-955-988 or 950808.