Profile Applicability:
Level 1
Description:
The AWS root user is the most privileged account in an AWS environment. AWS Access Keys provide programmatic access to an AWS account, and having access keys associated with the root user poses a severe security risk.
It is recommended to delete all access keys associated with the root user to enforce principle of least privilege and minimize attack vectors.
Rationale:
Root user access keys are a high-risk attack vector and can be used to gain full access to AWS resources.
If compromised, attackers can completely control the AWS account, leading to data breaches, unauthorized modifications, and service disruptions.
AWS Best Practices discourage the use of root user access keys and encourage the use of IAM roles and least-privileged accounts instead.
Impact:
Failure to remove root access keys increases the risk of account takeover if these credentials are leaked or misused.
Accidental use of root access keys may expose them in logs or repositories.
Using root access keys circumvents IAM policies and monitoring, making tracking difficult.
Default Value:
By default, AWS does not create access keys for the root user. However, users can manually create them.
Pre-Requisites:
AWS Account Access:
IAM user with Security Credentials access or root user.
IAM permissions: iam:GetAccountSummary, iam:ListAccessKeys, iam:DeleteAccessKey.
Security Policy:
Organization policy should restrict root access key creation and enforce regular audits.
Monitoring & Alerting:
AWS Config, AWS CloudTrail, or GuardDuty should be set up to alert on new root access key creation.
Remediation:
Test Plan:
Using AWS Console:
Login to the AWS Management Console.
Navigate to IAM Console: AWS IAM Console.
Click Credential Report (under "Access Reports").
This will download a CSV file containing credential usage for all IAM users.
Open the CSV file and check the following fields for the <root_account> user:
access_key_1_active → Should be FALSE
access_key_2_active → Should be FALSE
Using AWS CLI
- Run the following AWS CLI command:
aws iam get-account-summary | grep "AccountAccessKeysPresent"
- If no root access keys exist, the output will be: "AccountAccessKeysPresent": 0
- If the output shows "1", then root access keys exist and should be deleted.
Implementation Steps:
Using AWS Console
Login to AWS as the root user.
Open the IAM Console: AWS IAM Console
Click on Root Account Name (top-right corner) → Select My Security Credentials.
In the Security Credentials page, click Continue to Security Credentials
Scroll down to Access Keys (Access Key ID and Secret Access Key).
If active access keys exist, under Status, click Delete.
Confirm deletion (Note: Deleted keys cannot be recovered).
Using AWS Command Line
Run the following command to list root access keys:
aws iam list-access-keys --user-name root
If any access keys are returned, delete them using:
aws iam delete-access-key --user-name root --access-key-id <access-key-id>
Verify removal by rerunning the audit command:
aws iam get-account-summary | grep "AccountAccessKeysPresent
Backout Plan:
If a valid root access key was mistakenly deleted, follow these steps:
Login as root user via the AWS Management Console.
Generate a new root access key (not recommended unless absolutely necessary).
Immediately store the new access key securely (preferably offline).
Limit use and consider transitioning to an IAM role-based approach instead.