Profile Applicability:
- Level 1
Description:
Centralized root credentials management involves controlling and managing root account access to your AWS environment in a secure and auditable manner. AWS provides features like AWS Organizations, IAM roles, and AWS Secrets Manager to manage and secure root credentials, ensuring that the root account is not used directly for day-to-day activities. This SOP ensures that root credentials are centrally managed, thereby improving security by reducing the risk of unauthorized access and ensuring that the root credentials are used only when absolutely necessary.
Rationale:
Security: Limiting root account access and using centralized management ensures that root credentials are protected and used only for critical administrative tasks. This reduces the risk of root account compromise.
Best Practices: AWS security best practices recommend using IAM users and roles with least privilege access and restricting the use of the root account.
Compliance: Many compliance frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require strong access controls and centralized management of sensitive credentials.
Auditability: Centralized management ensures that all actions involving root credentials are tracked and auditable, helping with compliance audits.
Impact:
Pros:
Improved Security: Reduces the risk of root account misuse by ensuring it's used only in specific scenarios.
Centralized Control: Provides administrators with full control over root account usage, helping to prevent unauthorized access.
Audit Trails: Centralized management enables the creation of logs and alerts, ensuring that root account usage is auditable.
Compliance: Aligns with security frameworks and best practices that mandate control over privileged account usage.
Cons:
Administrative Overhead: Implementing centralized management and ensuring root credentials are securely stored and used might require additional administrative effort.
Potential Downtime: If centralized root credentials are not properly managed, there could be situations where access to critical resources is delayed or restricted.
Default Value:
By default, AWS root account credentials are not centrally managed. AWS provides features like IAM roles, AWS Organizations, and Secrets Manager to configure centralized management, but they need to be explicitly enabled.
Pre-requisite:
AWS IAM Permissions:
iam:CreatePolicy
iam:AttachRolePolicy
secretsmanager:CreateSecret
AWS CLI installed and configured.
AWS Organizations or equivalent structure in place for centralized management.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to IAM under Security, Identity, & Compliance.
Under Roles, verify that roles are created to limit root account access and that they have strict permissions.
Verify that MFA is enabled for the root account and AWS Secrets Manager is being used to store and rotate root credentials securely.
Check AWS Organizations to ensure that management of root credentials is centralized and handled via organization-wide settings.
Using AWS CLI:
To describe the IAM roles and check if root account access is restricted, run:
aws iam list-roles --query 'Roles[*].RoleName'
To verify MFA settings for the root account, run:
aws iam get-account-summary --query 'SummaryMap'
If MFA is not enabled, the AccountMFAEnabled setting will show false. Ensure MFA is enabled for the root account and is centrally managed through AWS Organizations.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to IAM.
Under Account Settings, ensure Multi-Factor Authentication (MFA) is enabled for the root account.
Use AWS Organizations to centrally manage access and implement policies to restrict root account access.
Create a Centralized Secrets Management strategy with AWS Secrets Manager for managing root credentials.
Ensure that roles are established for access control, allowing non-root IAM users to perform tasks normally requiring root credentials.
Using AWS CLI:
To enable MFA for the root account, use:
aws iam enable-mfa-device --user-name root --serial-number <mfa-device-serial-number> --authentication-code1 <code1> --authentication-code2 <code2>
To configure Secrets Manager to store root credentials, run:
aws secretsmanager create-secret --name "root-account-credentials" --secret-string "{\"username\":\"root\",\"password\":\"<password>\"}"For centralized root access management through AWS Organizations, configure organizational policies:
aws organizations create-policy --content '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["aws-portal:ViewBilling"],"Resource":"*"}]}'
Backout Plan:
Using AWS Console:
If enabling centralized root credentials management causes issues, sign in to the AWS Management Console.
If MFA is disabled, navigate to the IAM Dashboard and disable it (not recommended) or reset the root credentials if necessary.
Check CloudTrail logs to ensure that all activity is being captured.
Using AWS CLI:
If you need to revert the changes made to the root account, disable MFA (though it's recommended to keep MFA enabled) by using:
aws iam deactivate-mfa-device --serial-number <MFA_DEVICE_SERIAL>
Verify that no root account activity is being logged by CloudTrail, though logging should always be enabled for security reasons:
aws cloudtrail stop-logging