Profile Applicability:
Level 1
Description:
When an AWS account is created, a root user is also created. This user cannot be disabled or deleted and has unrestricted access to all resources within the account. To align with the principle of least privilege and separation of duties, it is highly recommended that the root user is not used for daily administrative or operational tasks. Instead, IAM users and roles should be created with appropriate permissions.
Rationale:
The root user has full administrative control over an AWS account.
Using the root user increases the risk of account compromise.
Principle of Least Privilege: Administrative access should be restricted to IAM roles instead of using root.
Separation of Duties: Using the root user bypasses all access controls, making tracking difficult.
Impact:
Failure to restrict root user usage increases the risk of account takeover if credentials are leaked.
No way to restrict actions performed by the root user, leading to potential misconfigurations or accidental deletions.
Compliance issues with security frameworks (e.g., CIS, SOC 2, ISO 27001) that require proper role-based access control.
Default Value:
By default, AWS allows root user access without restrictions.
Root user credentials and access keys can be used unless explicitly removed.
IAM roles must be manually created to replace root user access.
Pre-Requisites:
AWS Account Access:
IAM user with Administrator permissions (AdministratorAccess).
Root user must be available for initial setup.
IAM Users and Roles Configured:
Create IAM administrators for daily administrative tasks.
Implement IAM roles for specific tasks (e.g., billing, security, support).
MFA on Root User:
Enable MFA on root to add an extra security layer.
CloudTrail and AWS Config:
Monitor root account activity using AWS CloudTrail and AWS Config rules.
Remediation:
Test Plan:
Using AWS Console:
Login to AWS as an IAM administrator.
Open the IAM Console: AWS IAM Console.
In the left panel, click Credential Report.
Click Download Report.
Open the CSV file and find the <root_account> row.
Review the following fields:
password_last_used → Indicates the last root login.
access_key_1_last_used_date and access_key_2_last_used_date → Indicates when root keys were last used.
Using AWS Command Line :
Generate a credential report:
aws iam generate-credential-report
Retrieve the credential report:
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>'
Review the following fields:
password_last_used
access_key_1_last_used_date
access_key_2_last_used_date
Implementation Steps:
Step 1: Stop Using the Root User
Ensure that IAM users and roles are created to replace root user functions.
Educate administrators to use IAM roles instead of root.
Step 2: Change the Root User Password
Sign in to AWS Console as the root user.
Click on your account name (top-right corner).
Select My Security Credentials.
In the Password section, click Change password.
Enter a strong password and confirm.
Step 3: Delete Root Access Keys
- List root access keys:
aws iam list-access-keys --user-name root
- Delete each access key:
aws iam delete-access-key --user-name root --access-key-id <access-key-id>
- Confirm root access keys are removed:
aws iam get-account-summary | grep "AccountAccessKeysPresent"
- Expected output: "AccountAccessKeysPresent": 0
Backout Plan:
If issues occur after restricting root access:
Temporarily enable root login (only if necessary).
Review IAM permissions to ensure administrators have access.
Restrict root access again once IAM roles are validated.