All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account.
You cannot use policies within your account to explicitly deny access to the root user. You can only use an AWS Organizations service control policy (SCP) to limit permissions to an account, including the root user, that is a member of an organization or organizational unit (OU).
Because of this, we recommend that you delete your root user access keys and then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS.