Ensure No 'Root' User Account Access Key Exists
This rule ensures that no 'root' user account access key exists, promoting better security practices.
| Rule | Ensure no 'root' user account access key exists |
| Framework | cis_v150 |
| Severity | ✔ High |
Ensure No 'Root' User Account Access Key Exists for CIS v1.5.0
Introduction
In compliance with the Center for Internet Security (CIS) AWS Foundations Benchmark v1.5.0, it is recommended that the root user's AWS account access keys should not exist. This policy reduces the risk of unauthorized access to the account since the root user has full access to all services and resources in the AWS account.
Rule Details
Description
- Rule Name: Ensure no 'root' user account access key exists.
- CIS ID: 1.14 (CIS AWS Foundations Benchmark v1.5.0).
- Severity: Critical.
The presence of root user account access keys presents an increased security risk if the keys are compromised. This rule checks for the presence of access keys associated with the root user and flags an alert if they are present.
Rationale
The root user account is the most privileged user in an AWS account. With the root user account, one can perform any action on all AWS services and resources. Therefore, securing the root user account is paramount, and it's best practice to use it sparingly. Instead, individual IAM users with least privilege should be used for day-to-day interactions with AWS resources.
Troubleshooting Steps
If a root user access key is detected, you should remove it immediately to comply with the CIS Benchmark. Here are step-by-step instructions to troubleshoot and remediate the issue:
Check for Root User Access Keys
- 1.Log in to the AWS Management Console.
- 2.Navigate to the IAM dashboard.
- 3.Under the Security Status checklist, look for "Manage your access keys."
- 4.If there is an access key(s) listed, note the details for review.
Remove Root User Access Keys
- 1.Click on “Delete” next to each access key.
- 2.Confirm the deletion of the access keys.
Automating the Audit of Root User Access Keys
You can use the AWS CLI to list access keys of the root account, which provides a quicker and automatable method to check the root account's access keys status.
aws iam list-access-keys --user-name root
If any access keys are returned, follow the next step to remove them.
Automating the Removal of Root User Access Keys
Use the AWS CLI to delete a specific access key for the root user.
aws iam delete-access-key --access-key-id <ACCESS_KEY_ID> --user-name root
Replace
<ACCESS_KEY_ID>Step by Step Guide for Remediation
- 1.Identify Root Access Keys: Use the above-mentioned CLI command to list any root access keys.
- 2.Assess Usage: Before deleting the keys, check if they are used in any applications or automated scripts.
- 3.Communicate: Inform your team that you will delete the root access keys and plan accordingly.
- 4.Rotate Keys: If the root keys are in use, rotate them by creating new IAM user keys and updating all systems before deleting the root keys.
- 5.Delete the Access Keys: Use the CLI command for deleting the access keys belonging to the root user.
- 6.Verify: After deletion, run the list-access-keys command again to ensure no keys are associated with the root user.
- 7.Update Policies: Update your company policies to prevent future creation of root user access keys.
- 8.Monitor: Set up AWS CloudTrail and AWS Config to monitor and log any creation of root user access keys automatically.
By following these steps, you ensure that no root user account access key exists, thereby improving the security posture of your AWS account in line with the CIS v1.5.0 benchmark.