Ensure No Root User Account Access Key Exists Rule
This rule ensures there are no access keys associated with the root user account.
| Rule | Ensure no root user account access key exists |
| Framework | cis_v130 |
| Severity | ✔ High |
Ensure No Root User Account Access Key Exists for CIS v1.3.0
Description of the Rule
In the context of AWS (Amazon Web Services), the Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 recommends that the root user account access keys should not be used or even exist. Root accounts have unrestricted access to all resources in an AWS account; therefore, it is a security best practice to not use root account access keys and instead rely on individual IAM (Identity and Access Management) user accounts with the necessary permissions.
Troubleshooting Steps
If a root account access key does exist, it may indicate that it is still being used, which would be against security best practices. Here's how to troubleshoot and address this concern:
- 1.Log into the AWS Management Console.
- 2.Navigate to the IAM service.
- 3.Check the last used information on the Security Credentials tab of the root account.
- 4.Investigate any usage of the root access key to understand why it exists and where it is used.
- 5.Identify the IAM users or roles that should have the permissions instead of using the root account.
- 6.Prepare to deactivate and delete the root access keys after migrating any necessary permissions and jobs.
Necessary CLI Commands
To list access keys for the root user account using the AWS CLI:
aws iam list-access-keys --user-name root
To deactivate or delete the root user access keys using the AWS CLI, you must use the access key ID that you want to deactivate or delete:
# Deactivate the root user access key aws iam update-access-key --access-key-id [ACCESS_KEY_ID] --status Inactive --user-name root # Delete the root user access key aws iam delete-access-key --access-key-id [ACCESS_KEY_ID] --user-name root
Step by Step Guide for Remediation
- 1.
Confirm Root Access Key Exists: Use the
command to check for existing root user access keys.aws iam list-access-keys --user-name root - 2.
Identify Usage: Investigate through the AWS Management Console's Security Credentials page to identify when the root access key was last used, which would give an indication of where it could be in use.
- 3.
Deactivate Access Key: If you cannot immediately delete the key due to existing dependencies, deactivate it using the
command with theaws iam update-access-key
parameter.--status Inactive - 4.
Migrate Permissions: Create the necessary IAM users and roles with the required permissions, thereby migrating any root access key dependencies over to more secure, principle of least privilege IAM entities.
- 5.
Delete Access Key: Once all root user access key dependencies are removed, delete the key using the
command.aws iam delete-access-key
By ensuring that the root user account access key does not exist, you are adhering to the CIS AWS Foundations Benchmark v1.3.0, which enhances your AWS account security posture. Keeping remediation processes concise and devoid of unnecessary filler data ensures information is clear and actionable, which is both SEO friendly and accelerates SEO by directly addressing user search intent.