Profile Applicability: Level 1


Description:

In AWS “root” account we know it is the initial account and begins with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS root account user. So that the root account is the most privileged user in an AWS account. AWS Access Keys provides programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.


Rationale:

If anyone has root access keys they have admin-level access to all AWS resources. Removing the root access keys encourages the creation and use of role-based accounts that are least privileged and also associated with the root account limits vectors by which the account can be compromised.


Impact:

We ensure that no one will access services or resources through the root account via CLI mode.


Default Value:

By default there are no access keys are generated by AWS. If anyone creates an access key it has the status of active, During access key creation AWS allows viewing and downloading the secret access key part of the access key.


Audit:

Perform the following to determine if the root account has access keys: Via the AWS Console

  1. Log in to the AWS Management Console

  2. Navigate to IAM service https://console.aws.amazon.com/iam/

  3. Click on Credential Report, in the left navigation pane

  4. This will download a .xls file that contains credential usage for all IAM  users within an AWS Account - open this file.

  5. For the user, ensure the access_key1_active and access_key_2_active fields are set to FALSE.


Via CLI Audit

  1. Run the following commands

    aws iam generate-credential-report
    aws iam get-credential-report --query ‘Content’ --output text \
    | base64 -d | cut -d, -fl, 9, 14 | grep -B1 ‘<root_account>’


2. For the <root_account> user, ensure the access_key_1_active and access_key_2_active fields are set to FALSE


Remediation:

Pre-Requisite

  1. Log in to the root user only authorized persons for performing the below Implementation steps

  2. Do not try to login through the root user after ensuring no access key for root users.

  3. Do not share the password of your root account.

  4. After auditing, if the root user contains an access key then only perform the below steps.

Implementation Steps

The following steps to perform delete or disable active root access keys Via the AWS Console:

  1. Sign in to the AWS Management Console as Root User and open the IAM console
  2. Click on <Root_Account_Name> at the top right and select My Security Credentials from the drop-down menu
  3. Click on Access Keys(access key ID and secret access key)
  4. Under the Status column if any keys are Active then 
    • Click on Make Inactive - ( Temporarily disable Key - may be needed again)

    • Click Delete - (Deleted keys cannot be recovered)

    • When you click on “Make Inactive” pop up a window “Deactive + <access_key>” click on Deactivate.

    • After deactivation you want to remove it permanently then click on Delete button we see a deleted window “Delete <access_key>” in this it have two option Deactivate and at the button of the right-hand delete button, here already deactivate it no fill the access key in the text box below the Deactivate button. and then click on the Delete button. It is permanently deleted from root users.


Via CLI

Following command to use delete the root access key

  1. Check the access key exists or not for the root user

    aws iam generate-credential-report
    aws iam get-credential-report --query ‘Content’ --output text | base64 -d | cut -d, -fl, 9, 14 | grep -B1 ‘<root_account>’


2. If it is true then perform the following command to delete the access key of the root user

aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name root

Backout Plan

If you do not want to remove the access key of the root user and unfortunately you perform the above process then

  • Perform all the above three steps and then click on “Create New Access Key”

  • Pop up the “Create Access Key “ window click on Download Key File it downloads a .csv file to see the access key id and secret access key
    NoteiCompaas recommend you do not generate any access key id and secret key for the root user.  


References:

  1.  Best practices for managing AWS access keys - AWS General Reference 

  2. AWS account root user - AWS Identity and Access Management 

  3. Understanding and getting your AWS credentials - AWS General Reference


CIS Controls:

4.3 Ensure the Use of Dedicated Administrative Accounts 

  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.