Profile Applicability: Level 1
Description:
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account. The "root" account has unrestricted access to all resources in the AWS account.
Rationale:
The root account has full access to all resources in your AWS account. We strongly recommend that you do not use this account. The root account is the most privileged. Minimize the use of this account and apply the principles of minimal privileges to control access, reducing the risk of accidental changes and unintended disclosure of privileged credentials.
Impact:
Since the root user has complete control over your AWS cloud infrastructure and resources, it is better to prevent this privileged user from getting into the wrong hands. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. It is highly recommended that the use of this account be avoided.
Default Value:
By default AWS allows you to use the root account but it’s not recommended to use it every time.
Pre-Requisites:
Check whether the root account is used or not.
Approval required from the client for remediation of the task
After auditing, if the found any user is not using credentials for 90 days or more then only perform the below steps.
Remediation:
Test Plan:
Sign in to the AWS Management Console.
Navigate to IAM servicet https://console.aws.amazon.com/iam/.
- Click on the Credential report in the left navigation pane in the Access reports section.
Click on the download report option given, which lists all your account's users and the status of their various credentials.
- From the report, check the user and passwoord_last_used columns to check when the root user is logged in.
- If you notice Root Account user is logging infrequently you need to reduce the use of it. To do that follow the implementation steps.
Using AWS CLI:
The following command will download the credential report
aws iam get-credential-report
Note: There are a few conditions under which the use of the root account is required, such as requesting a penetration test or creating a CloudFront private key, etc.
Implementation Steps:
Instead of using a Root account frequently we can create an Admin user and use it. To create an Admin user follow the below steps.
Sign in to the AWS Management Console.
Navigate to IAM servicet https://console.aws.amazon.com/iam/.
Click on Users in the left navigation pane
Click on Add User on the top and fill in all the details required like name, password, etc and click on Next: Permissions
Select Attach existing policies directly and search for AdministratorAccess policy and select it
Click the Next button at the bottom and review all the details you filled and click on Create User
Using AWS CLI:
The following command will create the user and attach the permission to the user
aws iam create-user --user-name MyUser aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name MyUser
Backout Plan:
If you want to revoke the changes you made do follow the steps in the Implementation section and from there you can delete a user or change the access policy.
References:
Security best practices in IAM - AWS Identity and Access Management
AWS account root user - AWS Identity and Access Management
CIS Controls:
4.3 Ensure the Use of Dedicated Administrative Accounts
- Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities