Profile Applicability

  • Level 1

Description:

The root user in AWS is the account created during the initial setup of an AWS environment. It has full administrative privileges to all resources in the AWS account. However, it is not recommended to use the root user for administrative or daily tasks as this increases the risk of unintentional or malicious changes to the environment.

Instead, AWS recommends creating Identity and Access Management (IAM) users or roles with appropriate permissions to perform administrative tasks. The root user should be used only for account-level management tasks that cannot be performed by IAM users or roles (e.g., changing the account’s root email address, closing the account).

Rationale:

The root user has broad and unrestricted access to AWS resources and services. If the root user credentials are compromised, an attacker can gain full access to the AWS account, potentially resulting in:

  • Unauthorized modifications or deletions of critical resources

  • Data breaches or service disruptions

  • Compromise of sensitive account-level settings

By eliminating the use of the root user for daily administrative tasks, organizations reduce the attack surface and the risk of unintended, high-impact changes.

Impact:

Failure to eliminate the use of the root user for administrative tasks may result in:

  • Increased risk of account compromise and unauthorized access

  • Loss of control over critical account settings and resources

  • Difficulty tracking or auditing user actions, as IAM users provide more granular control and visibility

Eliminating root user access for regular tasks reduces the risk of these outcomes.

Default Value:

The root user is created automatically during AWS account setup and is enabled by default with full administrative privileges. IAM users with specific permissions must be created manually to assume administrative roles.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions to create and manage IAM users and roles

  • Access to the root user credentials to perform the necessary configurations

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Go to IAM (Identity and Access Management) and verify that the root user is not being used for administrative tasks:

    • Check IAM Users for users with AdministratorAccess or similar high-level permissions.

    • Ensure that Multi-Factor Authentication (MFA) is enabled on the root user account.

    • Check CloudTrail logs to ensure that the root user is not being used for daily tasks.

Using AWS CLI :

aws iam list-users --query 'Users[?UserName!=`root`]' --output table

To verify if MFA is enabled for the root user:

aws iam get-account-summary --query 'AccountSummary' --output table
Implementation Plan:

Using AWS Console:

  1. Create an IAM user with administrative privileges:

    • In the IAM Console, go to Users and click Add user.

    • Provide the user with programmatic access and/or console access.

    • Attach the AdministratorAccess policy to the user.

    • Set up MFA for this IAM user to add an additional layer of security.

  2. Restrict root user access:

    • Enable MFA for the root user by going to My Security Credentials in the AWS Management Console.

    • Set up MFA if it is not already enabled.

  3. Ensure IAM users assume administrative roles:

    • Assign necessary roles and permissions for tasks (e.g., using IAM roles with specific permissions for different administrative tasks).

    • Avoid using the root user for any tasks beyond account-level management.

Using AWS CLI :

aws iam create-user --user-name <new-admin-user>

aws iam attach-user-policy --user-name <new-admin-user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

To enable MFA for the root user:

aws iam enable-mfa-device --user-name root --serial-number <mfa-device-serial> --authentication-code1 <first-code> --authentication-code2 <second-code>

Backout Plan:

Using AWS Console:

  1. If the root user is accidentally disabled or restricted from administrative tasks:

    • Sign in using an IAM user with AdministratorAccess.

    • Ensure the root user has MFA enabled for extra security.

    • Restore root user permissions, if necessary, through IAM settings.

  2. Re-enable root access if required:

    • If critical administrative functions need to be performed, temporarily re-enable root access and ensure no IAM permissions conflict.

Using AWS CLI:

  1. If an IAM user is mistakenly restricted from administrative tasks:

    • Use another AdministratorAccess IAM user to restore permissions for the affected user.

  2. Re-enable the root user, if necessary:

    • Temporarily enable access for the root user via IAM or CLI, but ensure it’s only used for tasks that cannot be performed with IAM users.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

4.4

Implement and Manage Firewall Rules

CIS v7

5.1

Implement an Identity and Access Management (IAM) Policy