# AWS Root Account Security
Do this FIRST - before creating the organization or any other resources.
The AWS root account has unrestricted access and should be locked down immediately:
# Steps
- Enable MFA: Add multi-factor authentication to root account using hardware token or authenticator app
- Remove Access Keys: Delete any root account access keys - root should never use programmatic access
- Create Strong Password: Use a long, randomly generated password stored in password manager
- Secure Email: Ensure root account email has MFA and is monitored
- Document Recovery: Store root credentials and MFA recovery codes in secure location (e.g., vault)
# Why it matters
Root account compromise can lead to complete account takeover, data loss, and unlimited spending.
Complete these steps before proceeding to create your AWS Organization.