Description:
With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and controls over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.
Rationale:
The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties and can lead to unnecessary harm due to error or account compromise.
Impact:
Not using the root user for administrative and daily tasks will reduce unnecessary harm due to full access to all AWS services.
Default Value:
By default, the root account is used initially.
Pre-Requisite:
Root user access.
Remediation:
Test Plan:
AWS Console Process
Login to the AWS Management Console - IAM https://us-east-1.console.aws.amazon.com/iam/.
In the left pane, click settings and choose Credential report.
Click on Download Report.
- Open of Save the file locally.
- Locate the under the user column.
- Review password_last_used, access_key_1_last_used_date, access_key_2_last_used_date to determine when the 'root user' was last used.
Using AWS CLI
The following example attempts to generate a credential report for the AWS account:
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d |
cut -d, -f1,5,11,16 | grep -B1 '<root_account>'
Implementation Plan:
AWS Console Process
Login to the AWS Management Console as root user.
On the top right click on the username and select Account
In the account settings, click on edit.
- Enter the root user mail-id and password for authentication.
- Click edit under password.
Enter the current root user password and the new password, click on save changes.
- Now check any access keys are there.
- Sign in to the AWS Identity and Access Management (IAM) console as the AWS account root user.
- Choose your account name on the navigation bar, and then choose Security credentials.
Expand Access keys to check any access keys are there.
If present, click on delete under Actions and select Deavtivate.
To confirm deletion, enter the access key ID in the text input field and click on delete.
Using AWS CLI
changing root user password is not available through AWS CLI.
The following delete-access-key
command deletes the specified access key (access key ID and secret access key) for the IAM user named Bob
:
aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name Bob
Backout Plan:
For Backout Plan don’t change root user password and don’t delete access keys.
Note:
The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access keys for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.
Reference:
AWS account root user - AWS Identity and Access Management
generate-credential-report — AWS CLI 1.27.109 Command Reference