Profile Applicability: Level 1


Description:

The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.

We recommend that all access keys associated with the root account be removed. Removing access keys associated with the root account limits the vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role-based accounts that are least privileged.


Rationale:

Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged. 


Impact:

Not having root user account access keys will increase security and reduce unnecessary access to root account by others.  


Pre-Requisite

  1. Access to Root account.


Remediation:


Test Plan:

Using AWS Console

  1. Sign into the AWS Management Console using the root account credentials.
  2. Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu.

  3. On Your Security Credentials page, scroll down to Access keys (Access key ID and secret access key)

  4. Check the value available in the Status column for each root access key pair to determine the key pair status. If the Management Console displays one or more active access keys, your AWS root account is configured with active access keys, therefore your root access configuration does not follow the IAM security best practices regarding protection against unauthorized access.



Using AWS CLI


aws iam get-account-summary | grep "AccountAccessKeysPresent"

If no 'root' access keys exist the output will show "AccountAccessKeysPresent": 0,. If the output shows a "1" than 'root' keys exist 



Implementation Steps

Using  AWS Console:

  1. Sign in to the AWS Management Console using the root account credentials.
  2.  Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu.
  3. On Your Security Credentials page, and scroll down to Access keys (Access key ID and secret access key) tab.
  4. Remove the active access key created for your AWS root account by clicking the Delete link available in the Actions column.
  5. Inside the Delete <access-key-id>? confirmation box, choose Deactivate to decommission the root key, enter the access key ID in the required input field, then choose Delete to remove the access key for the AWS root account. 


Using AWS CLI

aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE


Backout Plan:

Important: Be sure to check that the access key is no longer in use before you delete it. You can't recover an access key after you delete it

If needed create new root user access keys

  • AWS Console Process

  1. Use your AWS account's email address and password to sign in to the AWS Management Console as your AWS account root user.

  2. Choose your account name in the navigation bar, and then choose My Security Credentials.

  3. If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  4. Expand the Access keys (access key ID and secret access key) section

  5. Click create access key.

  6. Accept the policy and click on create access key.
     

    Using AWS CLI

Using AWS CLI

Note

  • To run the following command or API operation as the root user, you must already have one active access key pair. If you don't have any access keys, create the first access key using the AWS Management Console. Then, you can use the credentials from that first access key with the AWS CLI to create the second access key, or to delete an access key.

command to create access key for root user.

$ aws iam create-access-key
{
    "AccessKey": {
        "UserName": "MyUserName",
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "Status": "Active",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "CreateDate": "2021-04-08T19:30:16+00:00"
    }
}

Reference:

AWS account root user - AWS Identity and Access Management 

Creating and deleting access keys for the AWS account root user - AWS Account Management 

 

CIS Controls:

4.3 Ensure the Use of Dedicated Administrative Accounts 

  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.