Profile Applicability: Level 1

Description:

When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account. The "root" account has unrestricted access to all resources in the AWS account. 

Rationale: 

The root account has full access to all resources in your AWS account. We strongly recommend that you do not use this account. The root account is the most privileged. Minimize the use of this account and apply the principles of minimal privileges to control access, reducing the risk of accidental changes and unintended disclosure of privileged credentials.


Impact:

Since the root user has complete control over your AWS cloud infrastructure and resources, it is better to prevent this privileged user from getting into the wrong hands. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. It is highly recommended that the use of this account be avoided.


Default Value:

By default AWS allows you to use the root account but it’s not recommended to use it every time.


Pre-Requisites:

  • Check whether the root account is used or not.

  • Approval required from the client for remediation of the task

  • After auditing, if the found any user is not using credentials for 90 days or more then only perform the below steps.


Remediation:

Test Plan:

  • Click on the Credential report in the left navigation pane in the Access reports section.
  • Click on the download report option given, which lists all your account's users and the status of their various credentials.

  • From the report, check the user and passwoord_last_used columns to check when the root user is logged in.
  • If you notice Root Account user is logging infrequently you need to reduce the use of it. To do that follow the implementation steps. 


Using AWS CLI:

The following command will download the credential report 

aws iam get-credential-report


Note: There are a few conditions under which the use of the root account is required, such as requesting a penetration test or creating a CloudFront private key, etc.


Implementation Steps:

Instead of using a Root account frequently we can create an Admin user and use it. To create an Admin user follow the below steps.

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on Add User on the top and fill in all the details required like name, password, etc and click on Next: Permissions

  5. Select Attach existing policies directly and search for AdministratorAccess policy and select it

  6. Click the Next button at the bottom and review all the details you filled and click on Create User



Using AWS  CLI:

The following command will create the user and attach the permission to the user

aws iam create-user --user-name MyUser
aws iam attach-user-policy  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name MyUser

Backout Plan:

If you want to revoke the changes you made do follow the steps in the Implementation section and from there you can delete a user or change the access policy.


References:

Security best practices in IAM - AWS Identity and Access Management

AWS account root user - AWS Identity and Access Management

 

CIS Controls:

4.3 Ensure the Use of Dedicated Administrative Accounts

  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities