Profile Applicability: Level 1
In AWS “root” account we know it is the initial account and begins with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS root account user. So that the root account is the most privileged user in an AWS account. AWS Access Keys provides programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.
If anyone has root access keys they have admin-level access to all AWS resources. Removing the root access keys encourages the creation and use of role-based accounts that are least privileged and also associated with the root account limits vectors by which the account can be compromised.
We ensure that no one will access services or resources through the root account via CLI mode.
By default there are no access keys are generated by AWS. If anyone creates an access key it has the status of active, During access key creation AWS allows viewing and downloading the secret access key part of the access key.
Perform the following to determine if the root account has access keys: Via the AWS Console
Log in to the AWS Management Console
Navigate to IAM service https://console.aws.amazon.com/iam/
Click on Credential Report, in the left navigation pane
This will download a .xls file that contains credential usage for all IAM users within an AWS Account - open this file.
For the user, ensure the access_key1_active and access_key_2_active fields are set to FALSE.
Via CLI Audit
Run the following commands
aws iam generate-credential-report
aws iam get-credential-report --query ‘Content’ --output text \
| base64 -d | cut -d, -fl, 9, 14 | grep -B1 ‘<root_account>’
2. For the <root_account> user, ensure the access_key_1_active and access_key_2_active fields are set to FALSE
Log in to the root user only authorized persons for performing the below Implementation steps
Do not try to login through the root user after ensuring no access key for root users.
Do not share the password of your root account.
After auditing, if the root user contains an access key then only perform the below steps.
The following steps to perform delete or disable active root access keys Via the AWS Console:
- Sign in to the AWS Management Console as Root User and open the IAM console
- Click on <Root_Account_Name> at the top right and select My Security Credentials from the drop-down menu
- Click on Access Keys(access key ID and secret access key)
- Under the Status column if any keys are Active then
Click on Make Inactive - ( Temporarily disable Key - may be needed again)
Click Delete - (Deleted keys cannot be recovered)
When you click on “Make Inactive” pop up a window “Deactive + <access_key>” click on Deactivate.
After deactivation you want to remove it permanently then click on Delete button we see a deleted window “Delete <access_key>” in this it have two option Deactivate and at the button of the right-hand delete button, here already deactivate it no fill the access key in the text box below the Deactivate button. and then click on the Delete button. It is permanently deleted from root users.
Following command to use delete the root access key
Check the access key exists or not for the root user
aws iam generate-credential-report
aws iam get-credential-report --query ‘Content’ --output text | base64 -d | cut -d, -fl, 9, 14 | grep -B1 ‘<root_account>’
2. If it is true then perform the following command to delete the access key of the root user
aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name root
If you do not want to remove the access key of the root user and unfortunately you perform the above process then
Perform all the above three steps and then click on “Create New Access Key”
Pop up the “Create Access Key “ window click on Download Key File it downloads a .csv file to see the access key id and secret access key
Note: iCompaas recommend you do not generate any access key id and secret key for the root user.
Best practices for managing AWS access keys - AWS General Reference
AWS account root user - AWS Identity and Access Management
Understanding and getting your AWS credentials - AWS General Reference
4.3 Ensure the Use of Dedicated Administrative Accounts
- Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.