Profile Applicability:
Level 1

Description:
This control ensures that the AWS root account does not have any access keys associated with it. The root account has full administrative privileges in an AWS environment, and using access keys with this account introduces significant security risks. Access keys allow programmatic access to AWS services, and if compromised, they can enable unauthorized actions without requiring MFA protection.

Rationale:
The AWS root account should only be used for essential account setup and maintenance tasks that cannot be performed by IAM users or roles. Allowing the root account to have active access keys increases the likelihood of misuse, accidental exposure, or compromise through leaked credentials or unprotected scripts. Removing these keys enforces the principle of least privilege and aligns with best practices and compliance standards such as CIS, ISO 27001, SOC 2, and NIST 800-53.

Impact:
Positive Impact: Significantly reduces the risk of unauthorized programmatic access and ensures that the root account is only used for high-security administrative tasks through console login.
Negative Impact: Automation or legacy scripts relying on the root account’s access keys will stop functioning once the keys are removed. These should be replaced with IAM roles or least-privileged IAM users.

Default Value:
By default, the AWS root account does not have access keys created. They are only generated manually by the account owner.

Pre-Requisite:

  • Root account credentials.

  • IAM permissions to view account-level credentials (optional for verification only).

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console as the root user.

  2. Click the account name (top-right corner) → Account.

  3. Under Security credentials, scroll to Access keys (access key ID and secret access key).

  4. Verify that no access keys are listed.

  5. If any access keys exist (Active or Inactive), the account is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console using the root account credentials.

  2. Navigate to the Account page → Security credentials.

  3. Scroll down to the Access keys section.

  4. If any keys exist:

    • Deactivate them by clicking Deactivate.

    • Then click Delete to permanently remove them.

  5. Ensure no new access keys are created for the root account going forward.

  6. Instead of using root access keys, create IAM users or roles with least-privilege permissions and assign programmatic access keys to those entities as needed.

Backout Plan:

  1. If deletion of a root access key disrupts necessary automation, immediately create an IAM user or role with equivalent permissions and update automation scripts to use the new credentials.

  2. Do not recreate root access keys; use IAM roles or AWS STS temporary credentials instead.

References: