AWS Security ChangesHomeSearch

AWS govcloud-us documentation change

Service: govcloud-us · 2025-11-07 · Documentation low

File: govcloud-us/latest/UserGuide/govcloud-account-root-user.md

Summary

Formatting and typographical fixes including curly quotes, markdown link syntax corrections, and placeholder updates

Security assessment

Changes involve typographical corrections (e.g., straight quotes to curly quotes), markdown link formatting fixes, and placeholder syntax updates (e.g., adding angle brackets). No security vulnerabilities or new security guidance are introduced.

Diff

diff --git a/govcloud-us/latest/UserGuide/govcloud-account-root-user.md b/govcloud-us/latest/UserGuide/govcloud-account-root-user.md
index 196f514a8..9d7facc64 100644
--- a//govcloud-us/latest/UserGuide/govcloud-account-root-user.md
+++ b//govcloud-us/latest/UserGuide/govcloud-account-root-user.md
@@ -17 +17 @@ Anyone who has root user access keys for your AWS GovCloud (US) account has unre
-In this guide you will find...
+In this guide you will find…​
@@ -73 +73 @@ In the credential report CSV, the following columns will allow you to identify i
-  * **access_key_1_active** – When the root user has an access key and the access key's status is Active, this value is `TRUE`. Otherwise it is `FALSE`.
+  * **access_key_1_active** – When the root user has an access key and the access key’s status is Active, this value is `TRUE`. Otherwise it is `FALSE`.
@@ -77 +77 @@ In the credential report CSV, the following columns will allow you to identify i
-  * **access_key_2_active** – When the root user has a second access key and the second key's status is Active, this value is `TRUE`. Otherwise it is `FALSE`.
+  * **access_key_2_active** – When the root user has a second access key and the second key’s status is Active, this value is `TRUE`. Otherwise it is `FALSE`.
@@ -86 +86 @@ In this example, the root user has an active root access key in the account beca
-![In this example, the root user has an active root access key in the account with no second access key.](/images/govcloud-us/latest/UserGuide/images/govcloud-root-user-cred-report.png)
+![In this example, the root has an active root access key in the account with no second access key.](/images/govcloud-us/latest/UserGuide/images/govcloud-root-user-cred-report.png)
@@ -96 +96 @@ If AWS Security Hub is enabled on your account, the following Security Hub contr
-  * [ Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1] IAM root user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1)
+  * [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1 IAMroot user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1)]
@@ -98 +98 @@ If AWS Security Hub is enabled on your account, the following Security Hub contr
-  * [AWS Foundational Security Best Practices standard: [IAM.4] IAM root user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4)
+  * [AWS Foundational Security Best Practices standard: [IAM.4 IAMroot user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4)]
@@ -156 +156 @@ Gather the following required information so you have it on hand when you open a
-  2. **Account Email** – If you are not aware of your account email, see [I don't know the email for my standard AWS account or AWS GovCloud (US) account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-troubleshooting.html#troubleshoot-forgot-email-account) in the _AWS GovCloud (US) User Guide_. If you need to change your account email, see [ How do I change the email address that's associated with my AWS account?](https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/)
+  2. **Account Email** – If you are not aware of your account email, see [I don’t know the email for my standard AWS account or AWS GovCloud (US) account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-troubleshooting.html#troubleshoot-forgot-email-account) in the _AWS GovCloud (US) User Guide_. If you need to change your account email, see [How do I change the email address that’s associated with my AWS account?](https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/)
@@ -160 +160 @@ Gather the following required information so you have it on hand when you open a
-  4. **AWS GovCloud (US) Account ID** – If you are not aware of your AWS GovCloud (US) account ID, see [Finding your AWS GovCloud (US) account ID](./govcloud-sign-in-issues.html#troubleshoot-need-account-ID-alias) in the _AWS GovCloud (US) User Guide_.
+  4. **AWS GovCloud (US) Account ID** – If you are not aware of your AWS GovCloud (US) account ID, see [Finding your AWS GovCloud (US) account ID](./govcloud-sign-in-issues.html#troubleshoot-need-account-id-alias) in the _AWS GovCloud (US) User Guide_.
@@ -177 +177 @@ To generate a KMS key, use the following AWS CLI command:
-                    "Principal": {"AWS": "arn:aws:iam::your-account-ID:root"},
+                    "Principal": {"AWS": "arn:aws:iam::<your-account-ID>:root"},
@@ -181 +181 @@ To generate a KMS key, use the following AWS CLI command:
-                {
+                {=
@@ -219,2 +219,2 @@ If you are having issues signing in to your standard AWS account as the root use
-        AWS GovCloud (US) Account ID: [AWS GovCloud (US) Account ID From Step 1]
-        Asymmetric KMS key ARN: [Asymmetric KMS key ARN from Step 1]
+        {govcloud-us} Account ID: [{govcloud-us} Account ID From Step 1]
+        Asymmetric {kms-key} ARN: [Asymmetric {kms-key} ARN from Step 1]
@@ -223,3 +223,3 @@ If you are having issues signing in to your standard AWS account as the root use
-        acknowledge the applicable requirements contained in the AWS GovCloud (US) 
-        Addendum to the AWS Customer Agreement (the "AWS GovCloud (US) Addendum") 
-        that apply to and governs the use of the AWS services in the AWS GovCloud (US) 
+        acknowledge the applicable requirements contained in the {govcloud-us}
+        Addendum to the {aws} Customer Agreement (the "{govcloud-us} Addendum")
+        that apply to and governs the use of the {aws-services} in the {govcloud-us}
@@ -227 +227 @@ If you are having issues signing in to your standard AWS account as the root use
-        AWS GovCloud (US) Addendum, I represent and warrant that: I am a U.S. person; 
+        {govcloud-us} Addendum, I represent and warrant that: I am a U.S. person;
@@ -230,2 +230,2 @@ If you are having issues signing in to your standard AWS account as the root use
-        to sanctions); and have full authority to request AWS release to me 
-        account credentials relating to the subject AWS GovCloud (US) account listed above. 
+        to sanctions); and have full authority to request {aws} release to me
+        account credentials relating to the subject {govcloud-us} account listed above.
@@ -235 +235 @@ If you are having issues signing in to your standard AWS account as the root use
-        purpose of processing new root credentials for the AWS GovCloud (US) 
+        purpose of processing new root credentials for the {govcloud-us}
@@ -265 +264 @@ The following image shows an example of a completed ticket:
-  10. Choose **Contact us** , choose your **Preferred contact language** , and then choose **Web** as the contact method, if it's not selected by default.
+  10. Choose **Contact us** , choose your **Preferred contact language** , and then choose **Web** as the contact method, if it’s not selected by default.
@@ -297 +296 @@ If you are having issues signing in to your [standard AWS account](https://docs.
-        --secret-id 'RCR secret ARN' \
+        --secret-id '<RCR secret ARN>' \
@@ -301 +300 @@ If you are having issues signing in to your [standard AWS account](https://docs.
-        --query 'SecretString' \
+        --query <'SecretString'> \
@@ -307 +306 @@ Then decrypt the output of `get-secret-value` for the credentials using this AWS
-        --key-id 'KMS ARN GENERATED IN STEP 1' \
+        --key-id '<KMS ARN GENERATED IN STEP 1>' \
@@ -310 +309 @@ Then decrypt the output of `get-secret-value` for the credentials using this AWS
-        --ciphertext-blob 'OUTPUT FROM get-secret-value' \
+        --ciphertext-blob '<OUTPUT FROM get-secret-value>' \
@@ -320 +319 @@ Then decrypt the output of `get-secret-value` for the credentials using this AWS
-![AWS Management Console navigation bar with AWS CloudShell icon displayed.](/images/govcloud-us/latest/UserGuide/images/console_cloudshell_navigation_bar.png)
+![console navigation bar with cshell icon displayed.](/images/govcloud-us/latest/UserGuide/images/console_cloudshell_navigation_bar.png)
@@ -322 +321 @@ Then decrypt the output of `get-secret-value` for the credentials using this AWS
-  8. Your environment will take a few seconds to get started. Once ready you will see `[[email protected] ~] $`.
+  8. Your environment will take a few seconds to get started. Once ready you will see `[[[email protected]](mailto:[email protected]) ~] $`.
@@ -324 +323 @@ Then decrypt the output of `get-secret-value` for the credentials using this AWS
-![AWS Management Console navigation bar with AWS CloudShell icon displayed.](/images/govcloud-us/latest/UserGuide/images/cloudshell_waiting.png)
+![console navigation bar with cshell icon displayed.](/images/govcloud-us/latest/UserGuide/images/cloudshell_waiting.png)
@@ -326 +325 @@ Then decrypt the output of `get-secret-value` for the credentials using this AWS
-![AWS Management Console navigation bar with AWS CloudShell icon displayed.](/images/govcloud-us/latest/UserGuide/images/cloudshell_ready.png)
+![console navigation bar with cshell icon displayed.](/images/govcloud-us/latest/UserGuide/images/cloudshell_ready.png)
@@ -332 +331 @@ Example
-        SECRET_ID="arn:aws:secretsmanager:us-east-1:536883072436:secret:rcr-example-02-0D3VUW"
+        SECRET_ID="arn:aws:secretsmanager:us-east-1:536883072436:secret:<rcr-example-02-0D3VUW>"
@@ -341 +340 @@ Example
-    KMS_ENCRYPTION_KEY='arn:aws:kms:us-east-1:536883072436:key/12345678-90ab-cdef-0123-4567-8example'
+    KMS_ENCRYPTION_KEY='arn:aws:kms:us-east-1:536883072436:key/<12345678-90ab-cdef-0123-4567-8example>'
@@ -373 +372 @@ These are some of the most common issues you may face while retrieving your AWS
-    --region us-east-1 --version-stage AWSCURRENT --output text --query 'SecretString'
+    --region us-east-1 --version-stage AWSCURRENT --output text --query <'SecretString'>
@@ -375,3 +374,2 @@ These are some of the most common issues you may face while retrieving your AWS
-    Secrets Manager can't decrypt the secret value: arn:aws:kms:us-east-1:536883072436:key/73947a77-ddbe-4dc7-bd8f-3fe0bc840778 is disabled. 
-    (Service: AWSKMS; Status Code: 400; Error Code: DisabledException; Request ID: cdc4b7ed-e171-4cef-975a-ad829d4123e8; Proxy: null)                           
-                            
+    Secrets Manager can't decrypt the secret value: arn:aws:kms:us-east-1:<536883072436:key/73947a77-ddbe-4dc7-bd8f-3fe0bc840778> is disabled.
+    (Service: AWSKMS; Status Code: 400; Error Code: DisabledException; Request ID: <cdc4b7ed-e171-4cef-975a-ad829d4123e8; Proxy: null>)
@@ -391 +389 @@ If you lost or forgot your AWS GovCloud (US) account root user access keys from
-    --region us-east-1 --version-stage AWSCURRENT --output text --query 'SecretString'
+    --region us-east-1 --version-stage AWSCURRENT --output text --query <'SecretString'>
@@ -423,3 +420,3 @@ The following example creates a profile named `govcloudroot` using sample values
-            AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
-            AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
-            Default Region name [None]: us-gov-west-1
+            {aws} Access Key ID [None]: <AKIAI44QH8DHBEXAMPLE>
+            {aws} Secret Access Key [None]: <je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY>
+            Default Region name [None]: <us-gov-west-1>
@@ -437,3 +434,3 @@ If using AWS CloudShell you must specify the region in each command using the `-
-            "UserId": "123456789012",
-            "Account": "123456789012",
-            "Arn": "arn:aws-us-gov:iam::123456789012:root"
+            "UserId": <"123456789012">,
+            "Account": <"123456789012">,
+            "Arn": "arn:aws-us-gov:iam::<123456789012>:root"
@@ -492 +489 @@ We recommend that you use an IAM user with appropriate permissions to [ perform
-The most common use of AWS GovCloud (US) account root user access keys is to restore administrator access to the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com). In this section, you will learn how to restore AWS Management Console access for the `Administrator` IAM user in your AWS GovCloud (US) account using your AWS GovCloud (US) account root user access keys.
+The most common use of AWS GovCloud (US) account root user access keys is to restore administrator access to the [AWS GovCloud (US) console](https://docs.aws.amazon.com/https://console.amazonaws-us-gov.com). In this section, you will learn how to restore AWS Management Console access for the `Administrator` IAM user in your AWS GovCloud (US) account using your AWS GovCloud (US) account root user access keys.
@@ -504 +501 @@ Before completing Tasks in AWS GovCloud (US) Regions that require root user acce
-Copy and paste the following AWS CLI commands into the terminal window to...
+Copy and paste the following AWS CLI commands into the terminal window to…​
@@ -528 +524 @@ With the `Administrator` IAM user created you can now set a new password to acce
-Copy and paste the following AWS CLI command into your terminal window to set a new temporary password for the `Administrator` IAM user. Sign in to the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com) with the temporary password to set your new password for the `Administrator` IAM user.
+Copy and paste the following AWS CLI command into your terminal window to set a new temporary password for the `Administrator` IAM user. Sign in to the [AWS GovCloud (US) console](https://docs.aws.amazon.com/https://console.amazonaws-us-gov.com) with the temporary password to set your new password for the `Administrator` IAM user.
@@ -592 +584 @@ Before completing Tasks in AWS GovCloud (US) Regions that require root user acce
-    --bucket my-bucket --policy file://policy.json
+    --bucket my-bucket --policy file://<policy.json>
@@ -609 +601 @@ The following AWS Security Hub findings can be remediated by deleting all root a
-  * [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1] IAM root user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1)
+  * [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1) IAM root user access key should not exist]
@@ -611 +603 @@ The following AWS Security Hub findings can be remediated by deleting all root a
-  * [AWS Foundational Security Best Practices standard: [IAM.4] IAM root user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4)
+  * [AWS Foundational Security Best Practices standard: [IAM.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4) IAM root user access key should not exist]
@@ -624,2 +615,0 @@ Before completing Tasks in AWS GovCloud (US) Regions that require root user acce
-###### Rotating root access keys without interrupting your applications (AWS CLI)
-
@@ -637,2 +627,2 @@ At this point, the AWS GovCloud (US) root user has two active access keys.
-        AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
-        AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
+        {aws} Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
+        {aws} Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
@@ -697 +686 @@ You can verify the unused access key was deleted by running the `list-access-key
-Safeguard your AWS GovCloud (US) account root user access keys the same way you would protect other sensitive personal information. We don't recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services. The root user in AWS GovCloud (US) does not support MFA. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of these tasks, see Tasks in AWS GovCloud (US) Regions that require root user access keys in this guide. Listed here are best practices to secure your AWS GovCloud (US) account root access keys.
+Safeguard your AWS GovCloud (US) account root user access keys the same way you would protect other sensitive personal information. We don’t recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services. The root user in AWS GovCloud (US) does not support MFA. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of these tasks, see Tasks in AWS GovCloud (US) Regions that require root user access keys in this guide. Listed here are best practices to secure your AWS GovCloud (US) account root access keys.
@@ -699 +688 @@ Safeguard your AWS GovCloud (US) account root user access keys the same way you
-  * If you don't already have an access key for your AWS account root user, don't create one unless you absolutely need to. Instead, use an IAM user that has administrative permissions.
+  * If you don’t already have an access key for your AWS account root user, don’t create one unless you absolutely need to. Instead, use an IAM user that has administrative permissions.