Profile Applicability: Level 1

Description:

When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account. The "root" account has unrestricted access to all resources in the AWS account. 


Impact:

Since the root user has complete control over your AWS cloud infrastructure and resources, it is better to prevent this privileged user from getting into the wrong hands. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. It is highly recommended that the use of this account be avoided.


Default Value:

By default AWS allows you to use the root account but it’s recommended to use it every time.


Audit:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on the Credential report in the left navigation pane

  4. Click on the download report option given, which lists all your account's users and the status of their various credentials.

  5. From the report, check the user and passwoord_last_used columns to check when the root user is logged in.

  6. If you notice Root Account user is logging infrequently you need to reduce the use of it. To do that follow the implementation steps. 


NoteThere are a few conditions under which the use of the root account is required, such as requesting a penetration test or creating a CloudFront private key, etc.


Remediation:

Pre-Requisites

  • Check whether the root account is using or not.

  • Approval Required from the client for remediation of the task

  • After auditing, if the found any user is not using credentials for 90 days or more then only perform the below steps.

Implementation Steps

Instead of using a Root account frequently we can create an Admin user and use it. To create an Admin user follow the below steps.

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on Add User on the top and fill in all the details required like name, password, etc and click on Next: Permissions

  5. Select Attach existing policies directly tab and search for AdministratorAccess policy and select it

Click the Next button at the bottom and review all the details you filled and click on Create User

Backout Plan:

If you want to revoke the changes you made do follow the steps in the Implementation section and from there you can delete a user or change the access policy.


References:

  1. Security best practices in IAM - AWS Identity and Access Management 
  2. AWS account root user - AWS Identity and Access Management 

CIS Controls:

4.3 Ensure the Use of Dedicated Administrative Accounts

  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities