Profile Applicability

  • Level 1

Description:

The root user account in AWS is the most privileged user and should not have access keys configured. Access keys are used to interact programmatically with AWS services via the AWS CLI, SDKs, or the API. By disabling or removing access keys for the root user, you reduce the risk of these highly privileged credentials being compromised or misused.

Rationale:

The root user account is inherently powerful and unrestricted. If the root user has an access key, an attacker or unauthorized individual who gains access to it can perform any action within the AWS account. Best practices recommend using IAM users with restricted permissions for programmatic access, and only using the root user for account setup and critical tasks that require root-level access.

Removing the root user's access keys mitigates the risk of unauthorized access to the account using those keys.

Impact:

If the root user's access keys are not removed:

  • Compromise of the root access keys could lead to complete control over the AWS account

  • Increased exposure to attacks such as privilege escalation and data exfiltration

  • Unauthorized API access and manipulation of AWS resources

Default Value:

AWS does not automatically create access keys for the root user; they must be manually created. If the root user account is used to generate access keys, it is a misconfiguration and should be remediated.

Pre-Requisites:

  • AWS CLI installed and configured (for command-line operations)

  • IAM permissions for iam:ListAccessKeys and iam:DeleteAccessKey

  • Access to the AWS Management Console

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console with a user that has appropriate IAM permissions

  2. Navigate to the IAM Console

  3. In the left pane, select Users

  4. Search for the root user account

  5. Under the Security credentials tab, confirm that there are no Access Keys listed for the root user

Using AWS CLI:

aws iam list-access-keys --user-name root

Ensure the list is empty or does not contain any keys for the root user.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console with a user that has appropriate IAM permissions

  2. Go to the IAM Console

  3. In the left pane, choose Users

  4. Locate the root user and select the Security Credentials tab

  5. Under Access Keys, if any exist, click Delete to remove the root user's access keys

  6. Save changes and ensure no keys are present

Using AWS CLI:

aws iam delete-access-key --access-key-id <AccessKeyId>

Repeat for any other root access keys identified.

Backout Plan:

There is no direct backout for the removal of root user access keys. However, if a key was deleted by mistake:

  1. You would need to manually create a new access key for the root user (not recommended) via the AWS Console or CLI

aws iam create-access-key --user-name root

  1. It’s recommended that new access keys are only created if absolutely necessary and should be tightly controlled.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.3

Ensure that multi-factor authentication (MFA) is enabled for all privileged users

CIS v7

4.6

Ensure Access Keys for the Root User are Disabled