You can completely lock a AWS root account by using an Service Control Policy within AWS Organization with the following policy:
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Effect": "Deny",
6 "Action": "*",
7 "Resource": [
8 "*"
9 ],
10 "Condition": {
11 "StringLike": {
12 "aws:PrincipalArn": [
13 "arn:aws:iam::*:root"
14 ]
15 }
16 }
17 }
18 ]
19}
With this SCP all access is denied, even the billing page (AWS Budgets). This can be useful when you can’t close an AWS account by their quota limit.